[squid-users] handling different two way ssl-request via a proxy system

Tue, 14 Apr 2015 04:58:47 -0700 

Hello,

Currently we’ve got the following situation in our production environment:

Clients —HTTP—> Apache —HTTPS TWO-WAY SSL VIA EXTERNAL PROXY —> HTTPS SERVERS

Just to be clear, the following services are used during this flow:

http client (firefox, chrome, curl, wget, etc.) —> Apache (which setups two-way 
ssl) —> Squid (which simply proxies https connect) —> HTTPS services of other 
parties on the internet, supporting two-way ssl

We’ve realized this using the following configuration on the apache service:

LoadModule ssl_module modules/mod_ssl.so

Listen *:3128

<VirtualHost *:3128>

  SSLProxyEngine On
  SSLProxyVerify require
  SSLProxyVerifyDepth 10
  SSLProxyMachineCertificateFile /etc/httpd/certs/client.pem
  SSLProxyCACertificateFile      /etc/httpd/certs/ca.crt

  RewriteEngine On
  RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 <https://%{HTTP_HOST}$1> [NC,P]


  ProxyPreserveHost On
  ProxyPass            /  https://$1/ <https://$1/>
  ProxyPassReverse     /  https://$1/ <https://$1/>

  ProxyRemote https http://192.168.68.102:3128 <http://192.168.68.102:3128/>
</VirtualHost>

We’re trying to replace the apache service by using squid. I’ve installed squid 
3.1.10 on CentOS 6.6 and have realized in a development environment a two-way 
ssl:

http client —> Squid 3.1.10 —> https two-way ssl directly —> https.example.com 
<http://https.example.com/>

http_port 3128 defaultsite=https.example.com vhost
cache_peer https.example.com parent 443 0 no-query originserver ssl 
sslcert=/etc/squid/certs/client.crt sslkey=/etc/squid/certs/client.key 
name=httpToHttps2way sslcafile=/etc/squid/certs/ca.crt
cache_peer_access httpToHttps2way allow all
cache deny all

There are two thing I haven’t realized in the development environment, because 
I don’t know how:
1. Making the Squid 3.1.10 to use a proxy system, because that’s our policy to 
communicate to the outside world. In apache we use the following directive: 
“ProxyRemote https http://192.168.68.102:3128 <http://192.168.68.102:3128/>"
2. Making the configuration variable as much as possible. So the Squid 3.1.10 
handles all different http client requests to different https servers and send 
them as a https two-way ssl. Currently it only handles request for 
https.example.com <http://https.example.com/>.

Any help is welcome.

Abdelouahed
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to