There seems to be lots of documentation out there about using SSL Bump or setting up a reverse proxy, but not alot of details on setting up a reverse proxy using an SSL certificate. That was the issue I had a couple of weeks ago. So, here is a handy guide to help anyone else looking to do the same thing.
A few items of note. This guide assumes you are running Linux and Squid version 4. In my case, it was on CentOS 7 and Squid 4.8. Instructions might be slightly different for different flavors of Linux.
Create the SSL Certificate
First we have to create the certificate. In our case, we wanted a wildcard certificate since our reverse proxy was going to handle requests to multiple servers. Note: You can only have 1 certificate per IP address, so they all must be in the same subdomain (eg www.example.com, customer.example.com, etc).
To create the certificate, follow these steps (replace example.com with your domain name):
openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr(Enter *.example.com for the common name and leave the password blank if prompted)
- Purchase a wildcard SSL certificate from a reputable (Browser supported) source
- Upload/copy/paste/etc the CSR to the SSL provider and provide any additional information needed to generate the SSL.
- Download the generated SSL in .pem format to /etc/pki/tls/certs (It might have a different extension, but it doesn’t much matter. For this example, let’s assume it is example.com.pem)
As mentioned above, this example assumes Squid version 4 which is not standard with CentOS 7. You will have to install (yum repos are available).
Edit the /etc/squid/squid.conf file. Before the http_access entries in the default config file, add something similar to the following (modifying for your environment):
http_port 80 accel
sslproxy_cert_error allow all
https_port 443 accel \
cache_peer 192.168.12.34 parent 443 0 no-query \
originserver name=website1 \
cache_peer 192.168.56.78 parent 80 0 no-query \
acl site1 dstdomain www.example.com
acl site1 dstdomain dev.example.com
cache_peer_access website1 allow site1
http_access allow site1
acl site2 dstdomain customer.example.com
cache_peer_access website2 allow site2
http_access allow site2
- The server at 192.168.12.34 will be used to return data for www.example.com or dev.example.com. Also, it will be queried from the Squid server via an encrypted connection.
- The server at 192.168.56.78 will return data for customer.example.com. Squid will use regular http to request the data.
- Make sure you comment out/delete the default “http_port 3128” line. We are already listening on ports 80 and 443.
All that’s left to do is start the Squid services and watch the requests come in!
Hopefully you found this tutorial useful. If so, add a comment below.
Can your company use additional Linux support? Drop me a line!