[Solved]squid, multi SSL reverse proxy



  • Hi Guys,

    I'm looking to redirect a few SSL sites to my internal servers.  The internal servers are different VM's and all share the same domain name…  but are different subdomains.

    Example
    serverA.mydomain.com
    serverb.mydomain.com
          lab.mydomain.com

    Is it possible to have SQUID provide the SSL cert for all of them?  Or is my thinking wrong?



  • so…

    I played with this for a little bit today.

    I got a wildcard SSL cert from startssl (on the cheap and seams to be a good company thus far...  Please look them up) and configured squid3 to use the wildcard SSL for the reverse web proxy.

    I had to fill in the 443 number in the ssl port to prevent it from looping to the admin interface.  Odd but now everything seams to be okay...



  • @jjandrob:

    I had to fill in the 443 number in the ssl port to prevent it from looping to the admin interface.  Odd but now everything seams to be okay…

    Change admin interface to other then 80/443.



  • Hi,

    I have done that..  but i have an issue where everything is defaulting to FQDN when using SSL.

    Is there a way to use more then one FQDN with this for SSL?

    non SSL is working fine…



  • @jjandrob:

    Is there a way to use more then one FQDN with this for SSL?

    IIRC, on squid as well on apache, you need on ip address for each ssl certificate.

    A wildcard certificate is the way to workaround it. after ssl certificate check I think host header could be checked(on apache it does).



  • hi!

    I have an ssl wild card cert in pfsense & it's configured to use that cert for the reverse proxy.

    is there a fix? (the header check u referenced)



  • @jjandrob:

    is there a fix? (the header check u referenced)

    The ssl is the first step, after this, normal host header should work.



  • hi,

    my fqn to my router is home.x.net

    I'm trying to reverse two ssl's using my wildcard ssl.

    currently my first ssl is working (home.x.net)

    my second ssl is being matched to home.x.net even though I'm typing in termsrv01.x.net

    watching the logs I'm seeing the entry coming in as home.x.net.  I'm not sure where it's getting rewritten.

    the way it's acting…  I'm not sure if adding a different ip would help for regardless of what ssl traffic I'm sending...  its matching against home.x.net.



  • I found the issue and sadly it's in the /usr/local/pkg/squid_reverse.inc.

    The in file you have the following.

    foreach (explode(",", $ifaces) as $i => $iface) {
                    $real_ifaces[] = squid_get_real_interface_address($iface);
                    if($real_ifaces[$i][0]) {
                          //HTTP
                          if (!empty($settings['reverse_http']))
                                    $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n";
                          //HTTPS
                          if (!empty($settings['reverse_https']))
                                    $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite}\n";
                            }
                    }
    

    Under HTTPS you need to add vhost\n at the very end.  This is why http was working but NOT ssl.  :-)

    Please update the config file to read as follows.
    $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n";



  • Thanks jjandrob. :) I've published version 2.0.5_5 with this fix.



  • Hello,

    and thank you for the great work, reverse ssl is working well now !!!

    I 've just a bug for xmlrpc syncing the reverse part of squid, only the normal proxy is synced with peer, not the reverse parts of the configuration. (Tested only on 2.0.1 amd64 with squid 2.0.5_5)

    I'll check on i386, just in case ;)
    EDIT: Same behaviour on 2.0.1 i386 / squid 2.0.5_5 :(

    If you have any hint on that…

    Thanks.



  • @jvorhees:

    If you have any hint on that…

    I've pushed a fix for it with no version change. Reinstall the package and test if it works.



  • Thank you Marcelloc !!! it's working well now ;)


Locked