SQUID 3 using multiple SSL



  • Hi Pfseners  ;D

    I have multiple sites that require SSL certificate bind to each but I noticed that SQUID 3 reverse proxy have only one field for one SSL certificate. on TMG there's an option where u can add listeners and bind certificate to the web server.

    If not is it possible that it'll come on future versions of squid?  ???

    thanks
    Moh



  • @moh10ly:

    If not is it possible that it'll come on future versions of squid?  ???

    I's possible but I don't know when. I'm really busy… :(

    Did you tried a wildcard certificate?



  • @marcelloc:

    I's possible but I don't know when. I'm really busy… :(

    Did you tried a wildcard certificate?

    Thought I'd latch on to this thread…

    As I understand your reply, it is currently not supported to use more than one certificate on the SQUID3 package?
    If not, is the feature planned in any way?

    Regards,
    Anders



  • @Sup3rior:

    Thought I'd latch on to this thread…

    As I understand your reply, it is currently not supported to use more than one certificate on the SQUID3 package?
    If not, is the feature planned in any way?

    Regards,
    Anders

    Could by the way be interested in funding this feature in case it's needed…



  • @Sup3rior:

    Could by the way be interested in funding this feature in case it's needed…

    It will be great  ;D
    You can private me a message with your funding plans.

    At least on apache, you will need an ip address for each cert. That´s why I suggested a wildcard for multiple ssl sites on same domain.

    squid3 will need a multi daemon tab to configure each listening ip for each cert.

    I can do a testing version for it.



  • @marcelloc:

    It will be great  ;D
    You can private me a message with your funding plans.

    At least on apache, you will need an ip address for each cert. That´s why I suggested a wildcard for multiple ssl sites on same domain.

    squid3 will need a multi daemon tab to configure each listening ip for each cert.

    I can do a testing version for it.

    Let's keep as much as possible in this open thread, in case others would like to opt in…

    Regarding your note with an IP address for each certificate, this would be required and therefore is an additional feature that would be needed for this project. As I understand you, squid doesn't have a multi daemon today?

    If this is correct, then I see it broken down to these features:

    • Being able to use multiple SSL certificates from different certificate authorities, configurable by GUI

    • Being able to bind SSL certificates to different IP addresses, configurable by GUI

    Correct me if I'm off here.

    I will PM you later this week and we can discuss the funding part :)

    //Regards



  • I can't bind a wildcard certificate because it's a Unified communication certificate with multiple SANs. and I have more than a server that requires this type of certificate.

    so for Instance using ADFS "Active directory federation service" requires one SAN certificate, and I have a communication server that requires UC certificate.. you can't use wildcard certificate with any of them.

    btw i'm also willing to donate to you Marco. you're doing such a great job that everyone should participate in and send small amount of appreciation to encourage you  ;D



  • @marcelloc:

    It will be great  ;D
    You can private me a message with your funding plans.

    As it seems others are interested in participating in some part of the funding, perhaps we should discuss it in the open for everyone to join in?



  • Yes, I totally agree.  :)



  • Hi Marco,

    Should we discuss the funding part of this?

    Since we seem to have some mutual understanding on what needs to be done in squid to make this work, perhaps we should discuss what is needed (eg. funding/man hours).
    I'm not that familiar with who's what in the squid community, so I don't know whether you're a developer or if we need someone else on this?

    Regards,
    Anders



  • Hi all,

    I'm not sure yet if this is what i'm looking for.
    But here goes…

    I'm trying to get some clients on a remote site to connect to some apps on the serversite. both sites are connected with an OpenVPN PKI tunnel.
    I also have the reverse proxy SQUID3 installed for SSL purposes. Multiple sites are hosted, only 1 WAN-IP.

    So far al is good and works nicely. Thing is it does the routing on IP and not domain name over the tunnel and just this little hickup is bothering me.
    The clients have certificates installed to open the apps but somehow the reverse https proxy does not pass the certificate so they are not able to open the app.

    Is your 'extension' or 'feature' the thing i need in SQUID3 to make this work?
    I've read this could be possible by using a multidomain certificate or with TLS / SNI (both i'm not inventive enough to figure that one out at the moment)

    Kindest regards,

    Stijn



  • Hi

    because I actually search for optimizing SSL options for squid I found this tread…

    I have written last month already in some other thread that it's easy to create a workaround for it.

    1. I create an patch to put certificate chain + private key to special files automatically

    2. in SQuiD Proxy Server, "General Options", Box "Custom Options" I wrote additional lines for additional domains:

    # special port for https proxying multi domains
    http_port <ip>:80 accel defaultsite= <domain webserver="">vhost
    https_port <ip>:443 accel cert=/usr/local/etc/squid/<wildcard>.crt key=/usr/local/etc/squid/<wildcard>.key defaultsite= <domain webserver="">vhost</domain></wildcard></wildcard></ip></domain></ip> 
    


  • I'm working on a new reverse proxy GUI for squid3-dev package. Maybe this week I finish and publish it.



  • Is it going to support multi SAN certificate and for multiple domains ?

    Marco, It would be good to test it. I'll setup a new Pfsense on my lab to test your dev version ..!
    i'll report bugs if any found.



  • This has not been implemented yet, correct? I can only select one single SSL Cert for HTTPS reverse proxy. I'd need to set a different certificate per subdomain, anyone knows how to do that with a custom setting? Is it supported by the squid3 package?



  • @moh10ly:

    If not is it possible that it'll come on future versions of squid?  ???

    thanks
    Moh

    Also in need of this feature.

    Currently running pound on a separate VM but would like to have my reverse proxy on pfSense. I suppose I could always install pound on the pfsense box but it would be nice to be able to do multiple SSL reverse proxy configs it in the GUI.


Log in to reply