[squid-users] forward/reverse proxying with TLS.
Tony Albers
tony.albers at gmx.com
Wed Apr 12 11:48:35 UTC 2023
Hiya,
I'm quite new to squid, so please bear with me.
OS is Debian Bullseye.
What I want to do is "hide" an application behind squid, so that the
application receives http traffic, and sends http traffic. This traffic
then goes through squid in both directions, so that squid receives https
on the external IP and forwards it to the application which is listening
on the loopback interface, and squid receives outgoing traffic from the
application on the loopback interface and then sends it out over the
external IP with https.
Kinda like so:
Incoming: exthost1(HTTPS)->thishostname:443-> squid
->127.0.0.1(HTTP)->127.0.0.1:1080
Outgoing: 127.0.0.1(HTTP)->127.0.0.1:8080-> squid
->exthost2:443(HTTPS)
I have the application running in a container on the host.
On the same host I also have squid installed.
The application listens on 127.0.0.1:1080 on HOST
Squid is set up as a reverse proxy, listening to https on the external
if on HOST:443 and forwards everything as http to 127.0.0.1:1080
(this works fine)
When the application then transmits something via http, it uses
localhost:8080 as proxy, where squid picks it up and then forwards it as
https.
(this doesn't work)
At least that#s what I want it to do..
However, when I use squid as outgoing proxy, the server in the other
end(88.24.12.40) says that squid doesn't present a client certificate
and drops the connection.
But I got the impression that tls_outgoing_options is for exactly that..
Have I misunderstood something?
My squid config looks like this:
# prefer DNS over IPv4
dns_v4_first on
# define hosts/networks that we use
acl exthost src 88.24.12.60/32
acl inthosts src 172.27.2.0/24
acl internal src 127.0.0.1/32
# access lists
http_access allow exthost
http_access allow inthosts
http_access allow internal
# reverse SSL proxy converting to noSSL
https_port 172.27.2.118:443 accel
tls-cert=/etc/squid/certs/thishostname.crt
tls-key=/etc/squid/keys/thishostname-privkey.pem
defaultsite=thishostname
cache_peer 127.0.0.1 parent 1080 0 no-query proxy-only originserver
name=thishostname
# forward proxy converting to SSL
http_port 127.0.0.1:8080
acl extnet dstdomain -n .somedomain.dk
acl extip dstdomain 88.24.12.40
acl intip dstdomain -n .someotherdomain.dk
url_rewrite_program /etc/squid/urlrewrite.py
tls_outgoing_options cert=/etc/squid/certs/thishostname.crt
tls_outgoing_options key=/etc/squid/keys/thishostname-privkey.pem
tls_outgoing_options cafile=/etc/squid/certs/thishostnameCA.pem
tls_outgoing_options capath=/etc/ssl/certs
tls_outgoing_options domain=somedomain.dk
never_direct deny extnet
never_direct deny extip
never_direct allow all
cache_peer_access thishostname allow exthosts
cache_peer_access thishostname allow inthosts
cache_peer_access thishostname allow internal
cache_peer_access thishostname deny all
# disable local caching
cache deny all
Thanks in advance,
Tony
More information about the squid-users
mailing list