[squid-users] SSL Virtual Hosting Problem

Mario Theodoridis mario.theodoridis at regify.com
Thu Nov 30 15:55:18 UTC 2023 

I do have one more problem at this point.

Using openssl i can work with what i have below, but i cannot add a 2nd 
certificate

https_port 0.0.0.0:443 accel defaultsite=regify.com \
     tls-cert=/etc/ssl/certs/regify.com.pem \
     tls-cert=/etc/ssl/certs/foo.com.pem

gives me

ERROR: OpenSSL does not support multiple server certificates. Ignoring 
addional cert= parameters.


If i instead use gnutls, i get dinged for using ssl::server

FATAL: Bungled /etc/squid/squid.conf line 29: acl stest1 
ssl::server_name test1.regify.com

is there a way to get the SNI host with gnutls?

http://www.squid-cache.org/Doc/config/acl/ did not answer that for me.

Alternatively, can i get openssl to cope with multiple certs somehow?


Mit Freundlichen Grüßen / Kind regards

Mario Theodoridis

regify GmbH
Römerstrasse 39 | D-78183 Hüfingen-Behla
Amtsgericht Freiburg HRB 709343
Telefon: +49 771 8978 4238

On 28/11/23 16:58, Mario Theodoridis wrote:
> Thank you Amos and Alex,
>
> this is a config i managed to get working for http and https
>
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 443         # https
>
> # listeners
> https_port 0.0.0.0:443 accel defaultsite=regify.com \
>     tls-cert=/etc/ssl/certs/regify.com.pem \
>     tls-key=/etc/ssl/private/regify.com.key
> http_port 0.0.0.0:80 accel
>
> # incoming
> http_access deny !Safe_ports
> http_access deny manager
>
>
> # plain
> acl vplain dstdomain -n plain.regify.com
> http_access allow vplain
> cache_peer plain.de.regify.com parent 80 0 \
>     proxy-only originserver no-digest no-netdb-exchange name=plain
> cache_peer_access plain allow vplain
> cache_peer_access plain deny all
>
> # test1
> acl stest1 ssl::server_name test1.regify.com
> http_access allow stest1
> cache_peer test1.de.regify.com parent 443 0 tls 
> ssldomain=test1.regify.com \
>     proxy-only originserver no-digest no-netdb-exchange name=test1
> cache_peer_access test1 allow stest1
> cache_peer_access test1 deny all
>
> # test2
> acl stest2 ssl::server_name test2.regify.com
> http_access allow stest2
> cache_peer test1.de.regify.com parent 443 0 tls 
> ssldomain=test2.regify.com \
>     proxy-only originserver no-digest no-netdb-exchange name=test2
> cache_peer_access test2 allow stest2
> cache_peer_access test2 deny all
>
> # fallback
> http_access deny all
>
>
>
> Mit Freundlichen Grüßen / Kind regards
>
> Mario Theodoridis
>
> regify GmbH
> Römerstrasse 39 | D-78183 Hüfingen-Behla
> Amtsgericht Freiburg HRB 709343
> Telefon: +49 771 8978 4238
>
> On 28/11/23 14:57, Amos Jeffries wrote:
>> On 28/11/23 23:29, Mario Theodoridis wrote:
>>> Hello everyone,
>>>
>>> i'm trying to use squid as a TLS virtual hosting proxy on a system 
>>> with a public IP in front of several internal systems running TLS 
>>> web servers.
>>>
>>> I would like to proxy the incoming connections to the appropriate 
>>> backend servers based on the hostname using SNI.
>>>
>>> I'm using the following config to just try this with 1 backend to 
>>> test with and fail already
>>>
>>> Here the config:
>>>
>>> http_port 3128
>>> debug_options ALL,2
>>> pinger_enable off
>>> shutdown_lifetime 1 second
>>> https_port 0.0.0.0:443 tproxy ssl-bump tls-cert=/root/dummy.pem
>>
>> That should be:
>>
>>   https_port 443 accel defaultsite=example.com \
>>     tls-cert=/etc/squid/example.com.pem
>>
>> The PEM file needs to be valid for all the domains served.
>>
>>
>>> acl tlspls ssl::server_name_regex -i test\.regify\.com
>>> cache_peer test.de.regify.com parent 443 0 proxy-only originserver 
>>> no-digest no-netdb-exchange name=test
>>
>> Missing "tls" option to enable TLS when talking to this peer.
>>
>>
>>> ssl_bump peek all
>>> ssl_bump splice all
>>> http_access allow all
>>> cache_peer_access test allow all
>>
>> I appreciate this is a test. But be sure to keep the default Squid 
>> security rules ("deny !Safe_ports" etc) and only allow the hosted 
>> domains instead of "all". These DoS and attack protections are 
>> particularly important on a reverse-proxy where the general public 
>> has access.
>>
>> FYI; "test what you will use" is important for proxies. One of the 
>> "irrelevant" config details may kill your real-world production setup 
>> where testing works fine without any security.
>>
>>
>>>
>>> ...
>>> I've been reading the squid docs and other internet resources, but 
>>> am failing to figure out why this is not working.
>>>
>>> Any clue sticks would be appreciated.
>>>
>>> Also appreciated would be advise on where to find this documented.
>>>
>>
>> The Squid wiki ConfigExamples section has all the typical 
>> configuration types and a few of the more uncommon ones as well.
>> The one you are needing is 
>> <https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting>
>>
>>
>> Cheers
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list