Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SQUID 3 using multiple SSL

    Scheduled Pinned Locked Moved Cache/Proxy
    16 Posts 7 Posters 10.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      moh10ly
      last edited by

      Hi Pfseners  ;D

      I have multiple sites that require SSL certificate bind to each but I noticed that SQUID 3 reverse proxy have only one field for one SSL certificate. on TMG there's an option where u can add listeners and bind certificate to the web server.

      If not is it possible that it'll come on future versions of squid?  ???

      thanks
      Moh

      Power is Knowledge.

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        @moh10ly:

        If not is it possible that it'll come on future versions of squid?  ???

        I's possible but I don't know when. I'm really busy… :(

        Did you tried a wildcard certificate?

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • S
          Sup3rior
          last edited by

          @marcelloc:

          I's possible but I don't know when. I'm really busy… :(

          Did you tried a wildcard certificate?

          Thought I'd latch on to this thread…

          As I understand your reply, it is currently not supported to use more than one certificate on the SQUID3 package?
          If not, is the feature planned in any way?

          Regards,
          Anders

          1 Reply Last reply Reply Quote 0
          • S
            Sup3rior
            last edited by

            @Sup3rior:

            Thought I'd latch on to this thread…

            As I understand your reply, it is currently not supported to use more than one certificate on the SQUID3 package?
            If not, is the feature planned in any way?

            Regards,
            Anders

            Could by the way be interested in funding this feature in case it's needed…

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              @Sup3rior:

              Could by the way be interested in funding this feature in case it's needed…

              It will be great  ;D
              You can private me a message with your funding plans.

              At least on apache, you will need an ip address for each cert. That´s why I suggested a wildcard for multiple ssl sites on same domain.

              squid3 will need a multi daemon tab to configure each listening ip for each cert.

              I can do a testing version for it.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • S
                Sup3rior
                last edited by

                @marcelloc:

                It will be great  ;D
                You can private me a message with your funding plans.

                At least on apache, you will need an ip address for each cert. That´s why I suggested a wildcard for multiple ssl sites on same domain.

                squid3 will need a multi daemon tab to configure each listening ip for each cert.

                I can do a testing version for it.

                Let's keep as much as possible in this open thread, in case others would like to opt in…

                Regarding your note with an IP address for each certificate, this would be required and therefore is an additional feature that would be needed for this project. As I understand you, squid doesn't have a multi daemon today?

                If this is correct, then I see it broken down to these features:

                • Being able to use multiple SSL certificates from different certificate authorities, configurable by GUI

                • Being able to bind SSL certificates to different IP addresses, configurable by GUI

                Correct me if I'm off here.

                I will PM you later this week and we can discuss the funding part :)

                //Regards

                1 Reply Last reply Reply Quote 0
                • M
                  moh10ly
                  last edited by

                  I can't bind a wildcard certificate because it's a Unified communication certificate with multiple SANs. and I have more than a server that requires this type of certificate.

                  so for Instance using ADFS "Active directory federation service" requires one SAN certificate, and I have a communication server that requires UC certificate.. you can't use wildcard certificate with any of them.

                  btw i'm also willing to donate to you Marco. you're doing such a great job that everyone should participate in and send small amount of appreciation to encourage you  ;D

                  Power is Knowledge.

                  1 Reply Last reply Reply Quote 0
                  • S
                    Sup3rior
                    last edited by

                    @marcelloc:

                    It will be great  ;D
                    You can private me a message with your funding plans.

                    As it seems others are interested in participating in some part of the funding, perhaps we should discuss it in the open for everyone to join in?

                    1 Reply Last reply Reply Quote 0
                    • M
                      moh10ly
                      last edited by

                      Yes, I totally agree.  :)

                      Power is Knowledge.

                      1 Reply Last reply Reply Quote 0
                      • S
                        Sup3rior
                        last edited by

                        Hi Marco,

                        Should we discuss the funding part of this?

                        Since we seem to have some mutual understanding on what needs to be done in squid to make this work, perhaps we should discuss what is needed (eg. funding/man hours).
                        I'm not that familiar with who's what in the squid community, so I don't know whether you're a developer or if we need someone else on this?

                        Regards,
                        Anders

                        1 Reply Last reply Reply Quote 0
                        • S
                          s.kuppens
                          last edited by

                          Hi all,

                          I'm not sure yet if this is what i'm looking for.
                          But here goes…

                          I'm trying to get some clients on a remote site to connect to some apps on the serversite. both sites are connected with an OpenVPN PKI tunnel.
                          I also have the reverse proxy SQUID3 installed for SSL purposes. Multiple sites are hosted, only 1 WAN-IP.

                          So far al is good and works nicely. Thing is it does the routing on IP and not domain name over the tunnel and just this little hickup is bothering me.
                          The clients have certificates installed to open the apps but somehow the reverse https proxy does not pass the certificate so they are not able to open the app.

                          Is your 'extension' or 'feature' the thing i need in SQUID3 to make this work?
                          I've read this could be possible by using a multidomain certificate or with TLS / SNI (both i'm not inventive enough to figure that one out at the moment)

                          Kindest regards,

                          Stijn

                          1 Reply Last reply Reply Quote 0
                          • R
                            Reiner030
                            last edited by

                            Hi

                            because I actually search for optimizing SSL options for squid I found this tread…

                            I have written last month already in some other thread that it's easy to create a workaround for it.

                            1. I create an patch to put certificate chain + private key to special files automatically

                            2. in SQuiD Proxy Server, "General Options", Box "Custom Options" I wrote additional lines for additional domains:

                            # special port for https proxying multi domains
                            http_port <ip>:80 accel defaultsite= <domain webserver="">vhost
                            https_port <ip>:443 accel cert=/usr/local/etc/squid/<wildcard>.crt key=/usr/local/etc/squid/<wildcard>.key defaultsite= <domain webserver="">vhost</domain></wildcard></wildcard></ip></domain></ip> 
                            
                            1 Reply Last reply Reply Quote 0
                            • marcellocM
                              marcelloc
                              last edited by

                              I'm working on a new reverse proxy GUI for squid3-dev package. Maybe this week I finish and publish it.

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • M
                                moh10ly
                                last edited by

                                Is it going to support multi SAN certificate and for multiple domains ?

                                Marco, It would be good to test it. I'll setup a new Pfsense on my lab to test your dev version ..!
                                i'll report bugs if any found.

                                Power is Knowledge.

                                1 Reply Last reply Reply Quote 0
                                • P
                                  Phlogi
                                  last edited by

                                  This has not been implemented yet, correct? I can only select one single SSL Cert for HTTPS reverse proxy. I'd need to set a different certificate per subdomain, anyone knows how to do that with a custom setting? Is it supported by the squid3 package?

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    captdragon
                                    last edited by

                                    @moh10ly:

                                    If not is it possible that it'll come on future versions of squid?  ???

                                    thanks
                                    Moh

                                    Also in need of this feature.

                                    Currently running pound on a separate VM but would like to have my reverse proxy on pfSense. I suppose I could always install pound on the pfsense box but it would be nice to be able to do multiple SSL reverse proxy configs it in the GUI.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.