[nflug] squid reverse proxy SSL

Darin Perusich Darin.Perusich at cognigencorp.com
Mon Jul 16 09:27:32 EDT 2007


When you reverse proxy an SSL site with squid you need to define the 
https_port option and provide the cert/key for the site you're trying to 
proxy. The site also can not be setup as a transparent proxy, this would 
be a man-in-the-middle and squid won't allow it.

I find that this is much easier to do with Apache and mod_proxy.

# some ssl virtual host
<VirtualHost 0.0.0.0:443>
...
...
...
<Proxy *>
  Order Deny,Allow
  Deny from all
  Allow from all
</Proxy>

  ProxyRequests off
  SSLProxyEngine on
  SSLProxyVerify optional
  SSLProxyCACertificateFile /etc/apache2/ssl.crt/cacert.crt

<Location "/proxysite/">
  ProxyPass https://internal.domain.com/
  ProxyPassReverse https://internal.domain.com/
</Location>
</VirtualHost>

justin.bennett at dynabrade.com wrote:
> 
> Hey Folks,
> 
>         I am trying to setup a reverse proxy, basically I have a web 
> service running on a server and I want to put it behind a squid reverse 
> proxy. The application is SSL encrpyted, I want the client (on the 
> internet) to go through SSL to the reverse proxy, then the reverse proxy 
> to go SSL to the web application (this is not neccesary since the proxy 
> and web server are on the same lan however it is currently setup this way).
> 
> Here is my squid.conf
> 
> http_port 8888
> httpd_accel_host 192.168.128.2
> httpd_accel_port 443
> httpd_accel_single_host on
> httpd_accel_with_proxy off
> httpd_accel_uses_host_header off
> 
> 
> when I do:
> https://reveseproxy.xxx.xxx:8888
> 
> It just times out.
> 
> Is there a trick to get squid to do SSL?  I assume it's just expecting 
> http not https from the client to the reverse proxy?
> 
> Thanks
> Justin
> 
> --
> Justin Bennett
> Network Administrator
> Dynabrade, Inc.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper at cognigencorp.com


More information about the nflug mailing list