[nflug] squid reverse proxy SSL

justin.bennett at dynabrade.com justin.bennett at dynabrade.com
Mon Jul 16 11:14:12 EDT 2007 

Thanks for the reply. I have it working with Apache as you suggested, 
seems to work well, except the target server seems can't be SSL. That's no 
problem.

Thanks
Justin


--
Justin Bennett
Network Administrator
Dynabrade, Inc.



Darin Perusich <Darin.Perusich at cognigencorp.com> 
Sent by: nflug-bounces at nflug.org
07/16/2007 09:28 AM
Please respond to
nflug at nflug.org


To
nflug at nflug.org
cc

Subject
Re: [nflug] squid reverse proxy SSL






When you reverse proxy an SSL site with squid you need to define the 
https_port option and provide the cert/key for the site you're trying to 
proxy. The site also can not be setup as a transparent proxy, this would 
be a man-in-the-middle and squid won't allow it.

I find that this is much easier to do with Apache and mod_proxy.

# some ssl virtual host
<VirtualHost 0.0.0.0:443>
...
...
...
<Proxy *>
  Order Deny,Allow
  Deny from all
  Allow from all
</Proxy>

  ProxyRequests off
  SSLProxyEngine on
  SSLProxyVerify optional
  SSLProxyCACertificateFile /etc/apache2/ssl.crt/cacert.crt

<Location "/proxysite/">
  ProxyPass https://internal.domain.com/
  ProxyPassReverse https://internal.domain.com/
</Location>
</VirtualHost>

justin.bennett at dynabrade.com wrote:
> 
> Hey Folks,
> 
>         I am trying to setup a reverse proxy, basically I have a web 
> service running on a server and I want to put it behind a squid reverse 
> proxy. The application is SSL encrpyted, I want the client (on the 
> internet) to go through SSL to the reverse proxy, then the reverse proxy 

> to go SSL to the web application (this is not neccesary since the proxy 
> and web server are on the same lan however it is currently setup this 
way).
> 
> Here is my squid.conf
> 
> http_port 8888
> httpd_accel_host 192.168.128.2
> httpd_accel_port 443
> httpd_accel_single_host on
> httpd_accel_with_proxy off
> httpd_accel_uses_host_header off
> 
> 
> when I do:
> https://reveseproxy.xxx.xxx:8888
> 
> It just times out.
> 
> Is there a trick to get squid to do SSL?  I assume it's just expecting 
> http not https from the client to the reverse proxy?
> 
> Thanks
> Justin
> 
> --
> Justin Bennett
> Network Administrator
> Dynabrade, Inc.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper at cognigencorp.com
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.nflug.org/pipermail/nflug/attachments/20070716/d10dafea/attachment.html

More information about the nflug mailing list