[squid-users] SSL Virtual Hosting Problem
Mario Theodoridis
mario.theodoridis at regify.com
Mon Dec 4 10:17:16 UTC 2023
On 01/12/23 21:34, Amos Jeffries wrote:
> On 1/12/23 04:55, Mario Theodoridis wrote:
>> I do have one more problem at this point.
>>
>> Using openssl i can work with what i have below, but i cannot add a
>> 2nd certificate
>>
>> https_port 0.0.0.0:443 accel defaultsite=regify.com \
>> tls-cert=/etc/ssl/certs/regify.com.pem \
>> tls-cert=/etc/ssl/certs/foo.com.pem
>>
>> gives me
>>
>> ERROR: OpenSSL does not support multiple server certificates.
>> Ignoring addional cert= parameters.
>>
>>
>> If i instead use gnutls, i get dinged for using ssl::server
>>
>> FATAL: Bungled /etc/squid/squid.conf line 29: acl stest1
>> ssl::server_name test1.regify.com
>>
>> is there a way to get the SNI host with gnutls?
>
> There is , but we have not yet implemented it.
>
> If the HTTPS URL domain is acceptable you can use the dstdomain ACL
> type instead as a workaround.
It would be acceptable to me, but i was under the impression, that this
did not work with TLS.
So with the gnutls variant and the following config
debug_options ALL,2
pinger_enable off
shutdown_lifetime 1 second
acl TLS_ports port 443
acl Safe_ports port 443
https_port 0.0.0.0:443 accel defaultsite=regify.com \
tls-cert=/etc/ssl/certs/regify.com.pem \
tls-cert=/etc/ssl/certs/foo.com.pem
http_access deny !Safe_ports
http_access deny manager
acl stest dstdomain -n test.regify.com
http_access allow stest
cache_peer test.regify.com parent 443 0 tls \
proxy-only originserver no-digest no-netdb-exchange name=ttest
cache_peer_access ttest allow TLS_ports stest
cache_peer_access ttest deny all
acl sfoo dstdomain -n www.foo.com
http_access allow sfoo
cache_peer www.foo.com parent 443 0 tls \
proxy-only originserver no-digest no-netdb-exchange name=tfoo
cache_peer_access tfoo allow TLS_ports sfoo
cache_peer_access tfoo deny all
http_access deny all
curl https://test.regify.com/ gives me certificate errors and
2023/12/04 10:58:22.053 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New
connection on FD 12
2023/12/04 10:58:22.053 kid1| 5,2| TcpAcceptor.cc(312) acceptNext:
connection on local=0.0.0.0:443 remote=[::] FD 12 flags=9
2023/12/04 10:58:22.054 kid1| 17,2| QosConfig.cc(125)
getNfmarkFromConnection: QOS: Failed to retrieve connection mark: (-1)
(1) Operation not permitted (Destination 192.168.1.123:443, source
192.168.1.124:41380)
2023/12/04 10:58:22.075 kid1| 83,2| client_side.cc(2680)
clientNegotiateSSL: TLS session reuse not yet implemented.
2023/12/04 10:58:22.075 kid1| 83,2| client_side.cc(2701)
clientNegotiateSSL: Client certificate requesting not yet implemented.
2023/12/04 10:58:22.075 kid1| 11,2| client_side.cc(1306)
parseHttpRequest: HTTP Client local=192.168.1.123:443
remote=192.168.1.124:41380 FD 11 flags=1
2023/12/04 10:58:22.075 kid1| 11,2| client_side.cc(1307)
parseHttpRequest: HTTP Client REQUEST:
---------
GET / HTTP/1.1
Host: test.regify.com
User-Agent: curl/7.74.0
Accept: */*
----------
2023/12/04 10:58:22.076 kid1| 85,2| client_side_request.cc(751)
clientAccessCheckDone: The request GET https://test.regify.com/ is
ALLOWED; last ACL checked: stest
2023/12/04 10:58:22.076 kid1| 85,2| client_side_request.cc(729)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2023/12/04 10:58:22.076 kid1| 85,2| client_side_request.cc(751)
clientAccessCheckDone: The request GET https://test.regify.com/ is
ALLOWED; last ACL checked: stest
2023/12/04 10:58:22.076 kid1| 17,2| FwdState.cc(142) FwdState:
Forwarding client request local=192.168.1.123:443
remote=192.168.1.124:41380 FD 11 flags=1, url=https://test.regify.com/
2023/12/04 10:58:22.076 kid1| 44,2| peer_select.cc(295)
peerSelectDnsPaths: Find IP destination for: https://test.regify.com/'
via test.regify.com
2023/12/04 10:58:22.076 kid1| 44,2| peer_select.cc(316)
peerSelectDnsPaths: Found sources for 'https://test.regify.com/'
2023/12/04 10:58:22.076 kid1| 44,2| peer_select.cc(317)
peerSelectDnsPaths: always_direct = DENIED
2023/12/04 10:58:22.076 kid1| 44,2| peer_select.cc(318)
peerSelectDnsPaths: never_direct = DENIED
2023/12/04 10:58:22.076 kid1| 44,2| peer_select.cc(328)
peerSelectDnsPaths: cache_peer = local=0.0.0.0 remote=2.4.6.8:443
flags=1
2023/12/04 10:58:22.076 kid1| 44,2| peer_select.cc(331)
peerSelectDnsPaths: timedout = 0
2023/12/04 10:58:22.088 kid1| 83,2| PeerConnector.cc(205) negotiate:
handshake IN: Unknown Handshake packet
2023/12/04 10:58:22.088 kid1| 83,2| PeerConnector.cc(207) negotiate:
handshake OUT: CLIENT HELLO
2023/12/04 10:58:22.102 kid1| 83,2| PeerConnector.cc(198) negotiate:
local=192.168.1.123:42772 remote=2.4.6.8:443 FD 13 flags=1 TLS Session
info: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
2023/12/04 10:58:22.102 kid1| 11,2| http.cc(2266) sendRequest: HTTP
Server local=192.168.1.123:42772 remote=2.4.6.8:443 FD 13 flags=1
2023/12/04 10:58:22.102 kid1| 11,2| http.cc(2267) sendRequest: HTTP
Server REQUEST:
---------
GET / HTTP/1.1
User-Agent: curl/7.74.0
Accept: */*
Host: test.regify.com
Via: 1.1 bulls.de.regify.com (squid/4.13)
Surrogate-Capability: bulls.de.regify.com="Surrogate/1.0 ESI/1.0"
X-Forwarded-For: 192.168.1.124
Cache-Control: max-age=259200
Connection: keep-alive
----------
2023/12/04 10:58:22.114 kid1| 11,2| http.cc(1212) readReply:
local=192.168.1.123:42772 remote=2.4.6.8:443 FD 13 flags=1: read
failure: (0) No error.
2023/12/04 10:58:22.114 kid1| 17,2| FwdState.cc(681)
handleUnregisteredServerEnd: self=0x55ef6a88f4b8*2 err=0x55ef6a89bcf8
https://test.regify.com/
2023/12/04 10:58:22.114 kid1| 4,2| errorpage.cc(1259) BuildContent: No
existing error page language negotiated for ERR_READ_ERROR. Using
default error file.
2023/12/04 10:58:22.114 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/12/04 10:58:22.114 kid1| 88,2| client_side_reply.cc(2062)
processReplyAccessResult: The reply for GET https://test.regify.com/ is
ALLOWED, because it matched all
2023/12/04 10:58:22.114 kid1| 11,2| Stream.cc(271) sendStartOfMessage:
HTTP Client local=192.168.1.123:443 remote=192.168.1.124:41380 FD 11 flags=1
2023/12/04 10:58:22.114 kid1| 11,2| Stream.cc(272) sendStartOfMessage:
HTTP Client REPLY:
---------
HTTP/1.1 502 Bad Gateway
Server: squid/4.13
Mime-Version: 1.0
Date: Mon, 04 Dec 2023 09:58:22 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3510
X-Squid-Error: ERR_READ_ERROR 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from bulls.de.regify.com
X-Cache-Lookup: MISS from bulls.de.regify.com:443
Via: 1.1 bulls.de.regify.com (squid/4.13)
Connection: keep-alive
----------
2023/12/04 10:58:22.114 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/12/04 10:58:22.115 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/12/04 10:58:22.116 kid1| 33,2| client_side.cc(586) swanSong:
local=192.168.1.123:443 remote=192.168.1.124:41380 flags=1
And curl https://www.foo.com yeilds also certificate errors and
2023/12/04 11:00:05.110 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New
connection on FD 12
2023/12/04 11:00:05.110 kid1| 5,2| TcpAcceptor.cc(312) acceptNext:
connection on local=0.0.0.0:443 remote=[::] FD 12 flags=9
2023/12/04 11:00:05.111 kid1| 17,2| QosConfig.cc(125)
getNfmarkFromConnection: QOS: Failed to retrieve connection mark: (-1)
(1) Operation not permitted (Destination 192.168.1.123:443, source
192.168.1.124:37526)
2023/12/04 11:00:05.133 kid1| 83,2| client_side.cc(2680)
clientNegotiateSSL: TLS session reuse not yet implemented.
2023/12/04 11:00:05.133 kid1| 83,2| client_side.cc(2701)
clientNegotiateSSL: Client certificate requesting not yet implemented.
2023/12/04 11:00:05.133 kid1| 11,2| client_side.cc(1306)
parseHttpRequest: HTTP Client local=192.168.1.123:443
remote=192.168.1.124:37526 FD 11 flags=1
2023/12/04 11:00:05.133 kid1| 11,2| client_side.cc(1307)
parseHttpRequest: HTTP Client REQUEST:
---------
GET / HTTP/1.1
Host: www.foo.com
User-Agent: curl/7.74.0
Accept: */*
----------
2023/12/04 11:00:05.134 kid1| 85,2| client_side_request.cc(751)
clientAccessCheckDone: The request GET https://www.foo.com/ is ALLOWED;
last ACL checked: sfoo
2023/12/04 11:00:05.134 kid1| 85,2| client_side_request.cc(729)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2023/12/04 11:00:05.134 kid1| 85,2| client_side_request.cc(751)
clientAccessCheckDone: The request GET https://www.foo.com/ is ALLOWED;
last ACL checked: sfoo
2023/12/04 11:00:05.134 kid1| 17,2| FwdState.cc(142) FwdState:
Forwarding client request local=192.168.1.123:443
remote=192.168.1.124:37526 FD 11 flags=1, url=https://www.foo.com/
2023/12/04 11:00:05.134 kid1| 44,2| peer_select.cc(295)
peerSelectDnsPaths: Find IP destination for: https://www.foo.com/' via
www.foo.com
2023/12/04 11:00:05.134 kid1| 44,2| peer_select.cc(316)
peerSelectDnsPaths: Found sources for 'https://www.foo.com/'
2023/12/04 11:00:05.134 kid1| 44,2| peer_select.cc(317)
peerSelectDnsPaths: always_direct = DENIED
2023/12/04 11:00:05.134 kid1| 44,2| peer_select.cc(318)
peerSelectDnsPaths: never_direct = DENIED
2023/12/04 11:00:05.134 kid1| 44,2| peer_select.cc(328)
peerSelectDnsPaths: cache_peer = local=0.0.0.0 remote=1.2.3.4:443
flags=1
2023/12/04 11:00:05.134 kid1| 44,2| peer_select.cc(331)
peerSelectDnsPaths: timedout = 0
2023/12/04 11:00:05.146 kid1| 83,2| PeerConnector.cc(205) negotiate:
handshake IN: Unknown Handshake packet
2023/12/04 11:00:05.146 kid1| 83,2| PeerConnector.cc(207) negotiate:
handshake OUT: CLIENT HELLO
2023/12/04 11:00:05.161 kid1| 83,2| PeerConnector.cc(205) negotiate:
handshake IN: SERVER HELLO DONE
2023/12/04 11:00:05.161 kid1| 83,2| PeerConnector.cc(207) negotiate:
handshake OUT: FINISHED
2023/12/04 11:00:05.172 kid1| 83,2| PeerConnector.cc(198) negotiate:
local=192.168.1.123:47236 remote=1.2.3.4:443 FD 13 flags=1 TLS Session
info: (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
2023/12/04 11:00:05.173 kid1| 11,2| http.cc(2266) sendRequest: HTTP
Server local=192.168.1.123:47236 remote=1.2.3.4:443 FD 13 flags=1
2023/12/04 11:00:05.173 kid1| 11,2| http.cc(2267) sendRequest: HTTP
Server REQUEST:
---------
GET / HTTP/1.1
User-Agent: curl/7.74.0
Accept: */*
Host: www.foo.com
Via: 1.1 bulls.de.regify.com (squid/4.13)
Surrogate-Capability: bulls.de.regify.com="Surrogate/1.0 ESI/1.0"
X-Forwarded-For: 192.168.1.124
Cache-Control: max-age=259200
Connection: keep-alive
----------
2023/12/04 11:00:05.185 kid1| ctx: enter level 0: 'https://www.foo.com/'
2023/12/04 11:00:05.185 kid1| 11,2| http.cc(719) processReplyHeader:
HTTP Server local=192.168.1.123:47236 remote=1.2.3.4:443 FD 13 flags=1
2023/12/04 11:00:05.185 kid1| 11,2| http.cc(720) processReplyHeader:
HTTP Server RESPONSE:
---------
HTTP/1.1 302 Found
Date: Mon, 04 Dec 2023 10:00:05 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; connect-src 'self' 'unsafe-inline';
img-src https: data: 'unsafe-inline'; frame-src 'self'; style-src 'self'
'unsafe-inline';
Location: https://www.foo.com/foo.php?mode=direct
Content-Length: 233
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------
2023/12/04 11:00:05.185 kid1| ctx: exit level 0
2023/12/04 11:00:05.185 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/12/04 11:00:05.185 kid1| 88,2| client_side_reply.cc(2062)
processReplyAccessResult: The reply for GET https://www.foo.com/ is
ALLOWED, because it matched sfoo
2023/12/04 11:00:05.185 kid1| 11,2| Stream.cc(271) sendStartOfMessage:
HTTP Client local=192.168.1.123:443 remote=192.168.1.124:37526 FD 11 flags=1
2023/12/04 11:00:05.185 kid1| 11,2| Stream.cc(272) sendStartOfMessage:
HTTP Client REPLY:
---------
HTTP/1.1 302 Found
Date: Mon, 04 Dec 2023 10:00:05 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; connect-src 'self' 'unsafe-inline';
img-src https: data: 'unsafe-inline'; frame-src 'self'; style-src 'self'
'unsafe-inline';
Location: https://www.foo.com/foo.php?mode=direct
Content-Length: 233
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from bulls.de.regify.com
X-Cache-Lookup: MISS from bulls.de.regify.com:443
Via: 1.1 bulls.de.regify.com (squid/4.13)
Connection: keep-alive
----------
2023/12/04 11:00:05.185 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/12/04 11:00:05.185 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/12/04 11:00:05.185 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/12/04 11:00:05.185 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/12/04 11:00:05.186 kid1| 33,2| client_side.cc(586) swanSong:
local=192.168.1.123:443 remote=192.168.1.124:37526 flags=1
So i'm a bit confiused.
Is there a way to make https virtual hosting with multiple certificates
to different back ends possible at all ATM?
Mit Freundlichen Grüßen / Kind regards
Mario Theodoridis
regify GmbH
Römerstrasse 39 | D-78183 Hüfingen-Behla
Amtsgericht Freiburg HRB 709343
Telefon: +49 771 8978 4238
More information about the squid-users
mailing list