Why is a certificate needed for squid reverse https?



  • Hi!

    I currently have alot of websites on different servers behind one public IP. All running on different ports in order to be NATed.
    I recently discovered letsencrypt and have started using https. It's chaos however and I can never seem to remember what service runs on what port.
    So I asked google what to do. Google told me I needed a reverse proxy.

    However, the concept of reverse proxy does not work like I thought it worked.
    In my world it is a fairly simple concept. Similiar to vhosts in Apache or NAT in pfsense itself:

    Take a request asking for
    http://domain.com to 192.168.1.10
    https://domain.com to 192.168.1.10
    http://whatever.domain.com to 192.168.1.11
    https://whatever.domain.com to 192.168.1.12

    So with this fundamental knowledge I thought it would be a piece of cake. I installed squid, went to the reverse proxy setting. Enabled it, and immediately got some errors:

    
    The following input errors were detected:
    'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value(1023).
    To listen on low ports, change portrange.reservedhigh sysctl value to 0 in System: Advanced: System Tunables and restart Squid daemon.
    A valid certificate for the external interface must be selected when 'HTTPS Reverse Proxy' is enabled.
    
    

    The highport thing, I think I've come to understand(well, accept) I need to create a rule, and it is first then when it gets forwarded to localhost on a specific port that squid does stuffs. Because for some reason squid can't see it otherwise. Fine.

    Then where I really get stuck is the certificate-part.
    I only want to forward to the correct web-server on my internal network. That server itself has a certificate I installed from letsencrypt. Why do squid require this? Installing certificates on pfsense is a bit over my head. But I still don't see why I'd need one.

    Could someone please explain why stuff don't work like I want it to work?



  • Hi Damned,

    I wonder that my self. So if there is anyone out there that can tell us WHY??


  • Banned

    Because

    The TLS cert= option is mandatory on HTTPS ports.

    And in general - do yourself a favour and use haproxy instead.



  • A slightly longer answer is that any SSL/TLS endpoint that is going to decrypt and authenticate incoming HTTPS connections MUST have a certificate because it's the cryptographic identification and authentication of a peer. If an SSL/TLS server you're connecting to claims to be 'www.example.tld' it must present a certificate (preferably signed by a trusted third party so it verifies correctly) with a CN (common name) 'www.example.tld', otherwise the SSL/TLS handshake will be aborted if the server can not present such certificate.