Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why is a certificate needed for squid reverse https?

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Damned
      last edited by

      Hi!

      I currently have alot of websites on different servers behind one public IP. All running on different ports in order to be NATed.
      I recently discovered letsencrypt and have started using https. It's chaos however and I can never seem to remember what service runs on what port.
      So I asked google what to do. Google told me I needed a reverse proxy.

      However, the concept of reverse proxy does not work like I thought it worked.
      In my world it is a fairly simple concept. Similiar to vhosts in Apache or NAT in pfsense itself:

      Take a request asking for
      http://domain.com to 192.168.1.10
      https://domain.com to 192.168.1.10
      http://whatever.domain.com to 192.168.1.11
      https://whatever.domain.com to 192.168.1.12

      So with this fundamental knowledge I thought it would be a piece of cake. I installed squid, went to the reverse proxy setting. Enabled it, and immediately got some errors:

      
The following input errors were detected:
'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value(1023).
To listen on low ports, change portrange.reservedhigh sysctl value to 0 in System: Advanced: System Tunables and restart Squid daemon.
A valid certificate for the external interface must be selected when 'HTTPS Reverse Proxy' is enabled.

      The highport thing, I think I've come to understand(well, accept) I need to create a rule, and it is first then when it gets forwarded to localhost on a specific port that squid does stuffs. Because for some reason squid can't see it otherwise. Fine.

      Then where I really get stuck is the certificate-part.
      I only want to forward to the correct web-server on my internal network. That server itself has a certificate I installed from letsencrypt. Why do squid require this? Installing certificates on pfsense is a bit over my head. But I still don't see why I'd need one.

      Could someone please explain why stuff don't work like I want it to work?

      1 Reply Last reply Reply Quote 0
      • J
        JoeFjell
        last edited by

        Hi Damned,

        I wonder that my self. So if there is anyone out there that can tell us WHY??

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          Because

          The TLS cert= option is mandatory on HTTPS ports.

          And in general - do yourself a favour and use haproxy instead.

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            A slightly longer answer is that any SSL/TLS endpoint that is going to decrypt and authenticate incoming HTTPS connections MUST have a certificate because it's the cryptographic identification and authentication of a peer. If an SSL/TLS server you're connecting to claims to be 'www.example.tld' it must present a certificate (preferably signed by a trusted third party so it verifies correctly) with a CN (common name) 'www.example.tld', otherwise the SSL/TLS handshake will be aborted if the server can not present such certificate.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.