Configuring Squid as Reverse Proxy with Wildcard SSL Certificate

There seems to be lots of documentation out there about using SSL Bump or setting up a reverse proxy, but not alot of details on setting up a reverse proxy using an SSL certificate. That was the issue I had a couple of weeks ago. So, here is a handy guide to help anyone else looking to do the same thing.

A few items of note. This guide assumes you are running Linux and Squid version 4. In my case, it was on CentOS 7 and Squid 4.8. Instructions might be slightly different for different flavors of Linux.

Create the SSL Certificate

First we have to create the certificate. In our case, we wanted a wildcard certificate since our reverse proxy was going to handle requests to multiple servers. Note: You can only have 1 certificate per IP address, so they all must be in the same subdomain (eg,, etc).

To create the certificate, follow these steps (replace with your domain name):

  1. cd /etc/pki/tls/certs
  2. openssl req -new -newkey rsa:2048 -nodes -keyout -out (Enter * for the common name and leave the password blank if prompted)
  3. Purchase a wildcard SSL certificate from a reputable (Browser supported) source
  4. Upload/copy/paste/etc the CSR to the SSL provider and provide any additional information needed to generate the SSL.
  5. Download the generated SSL in .pem format to /etc/pki/tls/certs (It might have a different extension, but it doesn’t much matter. For this example, let’s assume it is

Configure Squid

As mentioned above, this example assumes Squid version 4 which is not standard with CentOS 7. You will have to install (yum repos are available).

Edit the /etc/squid/squid.conf file. Before the http_access entries in the default config file, add something similar to the following (modifying for your environment):

http_port 80 accel
sslproxy_cert_error allow all

https_port 443 accel \
cert=/etc/pki/tls/certs/ \
key=/etc/pki/tls/certs/ vhost

cache_peer parent 443 0 no-query \
originserver name=website1 \
ssl sslcafile=/etc/pki/tls/certs/
cache_peer parent 80 0 no-query \
originserver name=website2

acl site1 dstdomain
acl site1 dstdomain
cache_peer_access website1 allow site1
http_access allow site1

acl site2 dstdomain
cache_peer_access website2 allow site2
http_access allow site2


  • The server at will be used to return data for or Also, it will be queried from the Squid server via an encrypted connection.
  • The server at will return data for Squid will use regular http to request the data.
  • Make sure you comment out/delete the default “http_port 3128” line. We are already listening on ports 80 and 443.


All that’s left to do is start the Squid services and watch the requests come in!

Hopefully you found this tutorial useful. If so, add a comment below.

Can your company use additional Linux support? Drop me a line!

You may also like...

Popular Posts