• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved]squid, multi SSL reverse proxy

Scheduled Pinned Locked Moved pfSense Packages
13 Posts 3 Posters 12.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jjandrob
    last edited by Sep 18, 2012, 1:39 AM Sep 16, 2012, 1:00 PM

    Hi Guys,

    I'm looking to redirect a few SSL sites to my internal servers.  The internal servers are different VM's and all share the same domain name…  but are different subdomains.

    Example
    serverA.mydomain.com
    serverb.mydomain.com
          lab.mydomain.com

    Is it possible to have SQUID provide the SSL cert for all of them?  Or is my thinking wrong?

    1 Reply Last reply Reply Quote 0
    • J
      jjandrob
      last edited by Sep 17, 2012, 12:56 AM

      so…

      I played with this for a little bit today.

      I got a wildcard SSL cert from startssl (on the cheap and seams to be a good company thus far...  Please look them up) and configured squid3 to use the wildcard SSL for the reverse web proxy.

      I had to fill in the 443 number in the ssl port to prevent it from looping to the admin interface.  Odd but now everything seams to be okay...

      1 Reply Last reply Reply Quote 0
      • M
        marcelloc
        last edited by Sep 17, 2012, 2:49 PM

        @jjandrob:

        I had to fill in the 443 number in the ssl port to prevent it from looping to the admin interface.  Odd but now everything seams to be okay…

        Change admin interface to other then 80/443.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • J
          jjandrob
          last edited by Sep 17, 2012, 3:22 PM

          Hi,

          I have done that..  but i have an issue where everything is defaulting to FQDN when using SSL.

          Is there a way to use more then one FQDN with this for SSL?

          non SSL is working fine…

          1 Reply Last reply Reply Quote 0
          • M
            marcelloc
            last edited by Sep 17, 2012, 3:37 PM

            @jjandrob:

            Is there a way to use more then one FQDN with this for SSL?

            IIRC, on squid as well on apache, you need on ip address for each ssl certificate.

            A wildcard certificate is the way to workaround it. after ssl certificate check I think host header could be checked(on apache it does).

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • J
              jjandrob
              last edited by Sep 17, 2012, 3:49 PM

              hi!

              I have an ssl wild card cert in pfsense & it's configured to use that cert for the reverse proxy.

              is there a fix? (the header check u referenced)

              1 Reply Last reply Reply Quote 0
              • M
                marcelloc
                last edited by Sep 17, 2012, 5:50 PM

                @jjandrob:

                is there a fix? (the header check u referenced)

                The ssl is the first step, after this, normal host header should work.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • J
                  jjandrob
                  last edited by Sep 17, 2012, 7:18 PM

                  hi,

                  my fqn to my router is home.x.net

                  I'm trying to reverse two ssl's using my wildcard ssl.

                  currently my first ssl is working (home.x.net)

                  my second ssl is being matched to home.x.net even though I'm typing in termsrv01.x.net

                  watching the logs I'm seeing the entry coming in as home.x.net.  I'm not sure where it's getting rewritten.

                  the way it's acting…  I'm not sure if adding a different ip would help for regardless of what ssl traffic I'm sending...  its matching against home.x.net.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jjandrob
                    last edited by Sep 18, 2012, 1:38 AM

                    I found the issue and sadly it's in the /usr/local/pkg/squid_reverse.inc.

                    The in file you have the following.

                    foreach (explode(",", $ifaces) as $i => $iface) {
                                    $real_ifaces[] = squid_get_real_interface_address($iface);
                                    if($real_ifaces[$i][0]) {
                                          //HTTP
                                          if (!empty($settings['reverse_http']))
                                                    $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n";
                                          //HTTPS
                                          if (!empty($settings['reverse_https']))
                                                    $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite}\n";
                                            }
                                    }
                    

                    Under HTTPS you need to add vhost\n at the very end.  This is why http was working but NOT ssl.  :-)

                    Please update the config file to read as follows.
                    $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n";

                    1 Reply Last reply Reply Quote 0
                    • M
                      marcelloc
                      last edited by Sep 18, 2012, 3:41 AM

                      Thanks jjandrob. :) I've published version 2.0.5_5 with this fix.

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • J
                        jvorhees
                        last edited by Nov 16, 2012, 10:26 AM Nov 15, 2012, 4:48 PM

                        Hello,

                        and thank you for the great work, reverse ssl is working well now !!!

                        I 've just a bug for xmlrpc syncing the reverse part of squid, only the normal proxy is synced with peer, not the reverse parts of the configuration. (Tested only on 2.0.1 amd64 with squid 2.0.5_5)

                        I'll check on i386, just in case ;)
                        EDIT: Same behaviour on 2.0.1 i386 / squid 2.0.5_5 :(

                        If you have any hint on that…

                        Thanks.

                        1 Reply Last reply Reply Quote 0
                        • M
                          marcelloc
                          last edited by Nov 20, 2012, 8:37 PM

                          @jvorhees:

                          If you have any hint on that…

                          I've pushed a fix for it with no version change. Reinstall the package and test if it works.

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • J
                            jvorhees
                            last edited by Nov 21, 2012, 11:42 AM

                            Thank you Marcelloc !!! it's working well now ;)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received