RE: [squid-users] Reverse Proxy and Externally Generated Wildcard SSL Certificates
John, I believe what you need to do is export the Certificates from the IIS servers, they will be saved in a .pfx file, which is the PKCS12 format. OpenSSL can convert these into the PEM format that squid supports, these commands will give you the desired output. Exports the Certificate: openssl pkcs12 -in server.pfx -out server.crt -nodes -nokeys -clcerts Exports the Private Key (Note will not be encrypted, store in safe place): openssl pkcs12 -in server.pfx -out server.key -nodes -nocerts -clcerts The openssl man page and the pkcs12 man page will have more information about these options if you need them. Thanks, Dean Weimer Network Administrator Orscheln Management Co -Original Message- From: John Gardner [mailto:john.gard...@southtyneside.gov.uk] Sent: Sunday, February 13, 2011 2:13 AM To: squid-users@squid-cache.org Subject: [squid-users] Reverse Proxy and Externally Generated Wildcard SSL Certificates Hi everyone. I've got a query about running Squid as a Reverse Proxy that I hope someone can answer. Over the past year, I've been tasked with introducing serveral Squid servers into our organisation, most of them so far have been internal Caching proxies, but I'm now at the stage where I need to implement a Reverse Proxy (RP) in our DMZ. We're going to offload the SSL onto the RP using a Wildcard SSL Certificate and during testing I used the advice here: http://wiki.squid- cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate. This was great to test everything and worked well. However, now I'm ready to put this into a Production environment and I have to deal with the fact that we are fundamentally a Windows house. They have already procured wildcard SSL certificates from Verisign, where the original CSR was generated on a Windows server sent off to the CA (Verisign) and then then the wildcard certificate returned to us. My question is quite simple, how do I import the wildcard certificate into openssl on the RP server? All the examples I've seen online assume that you're generating the CSR on the proxy server itself but I don't have that luxury unfortunately. I know this is more of an OpenSSL question rather than pure Squid question, I was just hoping that someone on the list has already done this and can give me some advice. Thanks in advance. John This email and any files transmitted with it are intended solely for the named recipient and may contain sensitive, confidential or protectively marked material up to the central government classification of ?RESTRICTED which must be handled accordingly. If you have received this e-mail in error, please immediately notify the sender by e-mail and delete from your system, unless you are the named recipient (or authorised to receive it for the recipient) you are not permitted to copy, use, store, publish, disseminate or disclose it to anyone else. E-mail transmission cannot be guaranteed to be secure or error-free as it could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses and therefore the Council accept no liability for any such errors or omissions. Unless explicitly stated otherwise views or opinions expressed in this email are solely those of the author and do not necessarily represent those of the Council and are not intended to be legally binding. All Council network traffic and GCSX traffic may be subject to recording and/or monitoring in accordance with relevant legislation. South Tyneside Council, Town Hall Civic Offices, Westoe Road, South Shields, Tyne Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.info
RE: [squid-users] Reverse Proxy and Externally Generated Wildcard SSL Certificates
John, I believe what you need to do is export the Certificates from the IIS servers, they will be saved in a .pfx file, which is the PKCS12 format. OpenSSL can convert these into the PEM format that squid supports, these commands will give you the desired output. Exports the Certificate: openssl pkcs12 -in server.pfx -out server.crt -nodes -nokeys -clcerts Exports the Private Key (Note will not be encrypted, store in safe place): openssl pkcs12 -in server.pfx -out server.key -nodes -nocerts -clcerts The openssl man page and the pkcs12 man page will have more information about these options if you need them. Dean Thanks for the help, but I've just found out that the CSR (and therefore private key) were all generated from a Juniper VPN Appliance and so now all bets are off :-/ Cheers This email and any files transmitted with it are intended solely for the named recipient and may contain sensitive, confidential or protectively marked material up to the central government classification of ?RESTRICTED which must be handled accordingly. If you have received this e-mail in error, please immediately notify the sender by e-mail and delete from your system, unless you are the named recipient (or authorised to receive it for the recipient) you are not permitted to copy, use, store, publish, disseminate or disclose it to anyone else. E-mail transmission cannot be guaranteed to be secure or error-free as it could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses and therefore the Council accept no liability for any such errors or omissions. Unless explicitly stated otherwise views or opinions expressed in this email are solely those of the author and do not necessarily represent those of the Council and are not intended to be legally binding. All Council network traffic and GCSX traffic may be subject to recording and/or monitoring in accordance with relevant legislation. South Tyneside Council, Town Hall Civic Offices, Westoe Road, South Shields, Tyne Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.info
RE: [squid-users] Reverse Proxy and Externally Generated Wildcard SSL Certificates
-Original Message- From: John Gardner [mailto:john.gard...@southtyneside.gov.uk] Sent: Monday, February 14, 2011 8:25 AM To: Dean Weimer; squid-users@squid-cache.org Subject: RE: [squid-users] Reverse Proxy and Externally Generated Wildcard SSL Certificates John, I believe what you need to do is export the Certificates from the IIS servers, they will be saved in a .pfx file, which is the PKCS12 format. OpenSSL can convert these into the PEM format that squid supports, these commands will give you the desired output. Exports the Certificate: openssl pkcs12 -in server.pfx -out server.crt -nodes -nokeys -clcerts Exports the Private Key (Note will not be encrypted, store in safe place): openssl pkcs12 -in server.pfx -out server.key -nodes -nocerts -clcerts The openssl man page and the pkcs12 man page will have more information about these options if you need them. Dean Thanks for the help, but I've just found out that the CSR (and therefore private key) were all generated from a Juniper VPN Appliance and so now all bets are off :-/ Cheers They may already be stored in PEM format then, the JUNEOS that runs on most Juniper devices was originally derived from FreeBSD and as such its SSL implementation is likely based on OpenSSL (of course that's just a guess). I haven't worked on any Juniper devices myself, so I am of no help in figuring out how to export them. If they were generated on the Juniper VPN appliance, is that device already doing HTTPS offloading for you? You might not get the desired benefit moving that to a Squid proxy server if it is, perhaps just placing the proxy between the VPN appliance and the backend web server to utilize the cache would give you the desired outcome without needing to move the SSL. Thanks, Dean Weimer Network Administrator Orscheln Management Co
RE: [squid-users] Reverse Proxy and Externally Generated Wildcard SSL Certificates
They may already be stored in PEM format then, the JUNEOS that runs on most Juniper devices was originally derived from FreeBSD and as such its SSL implementation is likely based on OpenSSL (of course that's just a guess). I haven't worked on any Juniper devices myself, so I am of no help in figuring out how to export them. If they were generated on the Juniper VPN appliance, is that device already doing HTTPS offloading for you? You might not get the desired benefit moving that to a Squid proxy server if it is, perhaps just placing the proxy between the VPN appliance and the backend web server to utilize the cache would give you the desired outcome without needing to move the SSL. Dean The Juniper box and the Squid box are on different segments of the DMZ and have different purposes... the Squid RP is /just/ for external users accessing Websites whereas the Juniper just handles external VPN users. Thanks for the help anyway. John This email and any files transmitted with it are intended solely for the named recipient and may contain sensitive, confidential or protectively marked material up to the central government classification of ?RESTRICTED which must be handled accordingly. If you have received this e-mail in error, please immediately notify the sender by e-mail and delete from your system, unless you are the named recipient (or authorised to receive it for the recipient) you are not permitted to copy, use, store, publish, disseminate or disclose it to anyone else. E-mail transmission cannot be guaranteed to be secure or error-free as it could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses and therefore the Council accept no liability for any such errors or omissions. Unless explicitly stated otherwise views or opinions expressed in this email are solely those of the author and do not necessarily represent those of the Council and are not intended to be legally binding. All Council network traffic and GCSX traffic may be subject to recording and/or monitoring in accordance with relevant legislation. South Tyneside Council, Town Hall Civic Offices, Westoe Road, South Shields, Tyne Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.info
Re: [squid-users] Reverse Proxy and Externally Generated Wildcard SSL Certificates
On 13/02/11 21:12, John Gardner wrote: Hi everyone. I've got a query about running Squid as a Reverse Proxy that I hope someone can answer. Over the past year, I've been tasked with introducing serveral Squid servers into our organisation, most of them so far have been internal Caching proxies, but I'm now at the stage where I need to implement a Reverse Proxy (RP) in our DMZ. We're going to offload the SSL onto the RP using a Wildcard SSL Certificate and during testing I used the advice here: http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate. This was great to test everything and worked well. However, now I'm ready to put this into a Production environment and I have to deal with the fact that we are fundamentally a Windows house. They have already procured wildcard SSL certificates from Verisign, where the original CSR was generated on a Windows server sent off to the CA (Verisign) and then then the wildcard certificate returned to us. My question is quite simple, how do I import the wildcard certificate into openssl on the RP server? All the examples I've seen online assume that you're generating the CSR on the proxy server itself but I don't have that luxury unfortunately. I know this is more of an OpenSSL question rather than pure Squid question, I was just hoping that someone on the list has already done this and can give me some advice. Thanks in advance. John It does not matter where the files are generated. As long as they are stored on the Squid box for Squid to access. For Squid you do not have to install anything into OpenSSL, which is just a library. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.4