Re: [squid-users] Need Help adding SSL support in squid.conf for 2 of the 4 domains I am caching

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 14 Dec 2010 23:24:26 +0000

On Tue, 14 Dec 2010 14:28:06 -0500, Raymond Leonard <rclchamp_at_gmail.com>
wrote:
> Hello all,
>
> I have a working squid.conf that allows me to access im01.cppt.com,
> and img02.cppt.com. I have been tasked
> to add ssl support so that the content can be accessed via http and
https.
>
> Here is my working squid.conf--
>
>
------------------------------------------------------------------------------------------------------
> http_port 80 accel defaultsite=img01.cppt.com vhost
> cache_peer 172.19.23.91 parent 80 0 no-query originserver name=myAccel
> cache_peer 172.19.23.92 parent 80 0 no-query originserver name=server_2
> cache_peer 172.19.23.95 parent 80 0 no-query originserver
name=myAccel_bu
> cache_peer 172.19.23.12 parent 80 0 no-query originserver
name=server_2_bu
>
> acl all src 0.0.0.0/0.0.0.0
> acl our_sites dstdomain img01.cppt.com
> acl sites_server_2 dstdomain img02.cppt.com
> acl our_sites3 dstdomain image1.emktg.com
> acl our_sites4 dstdomain image2.emktg.com
>
> http_access allow our_sites
> http_access allow sites_server_2
> http_access allow our_sites3
> http_access allow our_sites4
>
> cache_peer_access myAccel allow our_sites
> cache_peer_access myAccel_bu allow our_sites
> cache_peer_access server_2 allow sites_server_2
> cache_peer_access server_2 allow our_sites3
> cache_peer_access server_2 allow our_sites4
> cache_peer_access server_2_bu allow sites_server_2
> cache_peer_access server_2_bu allow our_sites3
> cache_peer_access server_2_bu allow our_sites4
>
-----------------------------------------------------------------------------
>
>
> I have created the wild card certificate on the squid server. Just was
> wondering
> if someone could help with my new squid.conf file to accomplish this.
> Here is what I have done thus far--
>

Your spec above says "via http and https" there fore keep the old config.
Add the HTTPS bits into it. step by step.

Step 1) port to accept traffic.

>
> ---------------------------
>
> https_port 443 cert=/usr/newrprgate/CertAuth/testcert.cert
> key=/usr/newrprgate/CertAuth/testkey.pem default
> defaultsite=img01.cppt.com vhost

Slightly altered:

 http3_port 443 accel defaultsite=img01.cppt.com vhost
   cert=/usr/newrprgate/CertAuth/testcert.cert
   key=/usr/newrprgate/CertAuth/testkey.pem

and place it next to the existing http_port entry. (I've wrapped for
brevity, its one long line)

This can be done by itself, no other changes. When the certs work the site
should be contactable via https:// immediately. The proxy->origin traffic
will still be HTTP-only but the public side should be fully working HTTPS
to the proxy. Test this and make sure it works before going any more
complicated.

>
> cache_peer 172.19.23.91 parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER name=myAccelsecure
> cache_peer 172.19.23.92 parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER name=server_2secure
>
> cache_peer 172.19.23.91 parent 80 0 no-query originserver name=myAccel
> cache_peer 172.19.23.92 parent 80 0 no-query originserver name=server_2
> cache_peer 172.19.23.95 parent 80 0 no-query originserver
name=myAccel_bu
> cache_peer 172.19.23.12 parent 80 0 no-query originserver
name=server_2_bu
>
> acl all src 0.0.0.0/0.0.0.0
> acl our_sitessecure dstdomain img01.cppt.com
> acl sites_server_2secure dstdomain img02.cppt.com
> acl our_sites dstdomain img01.cppt.com
> acl sites_server_2 dstdomain img02.cppt.com
> acl our_sites3 dstdomain image.emktg.com
> acl our_sites4 dstdomain image4.emktg.com
>

No need for the our_sites*secure* variant rules. They duplicate the
earlier definition. Only used internally to the config file so the old
definition can be re-used.

>
> http_access allow our_sitessecure
> http_access allow sites_server_2secure
>
> http_access allow our_sites
> http_access allow sites_server_2
> http_access allow our_sites3
> http_access allow our_sites4
>
>
>
> cache_peer_access myAccelsecure allow our_sitesecure
> cache_peer_access server_2secure allow sites_server_2secure
>
> cache_peer_access myAccel allow our_sites
> cache_peer_access myAccel_bu allow our_sites
> cache_peer_access server_2 allow sites_server_2
> cache_peer_access server_2 allow our_sites3
> cache_peer_access server_2 allow our_sites4
> cache_peer_access server_2_bu allow sites_server_2
> cache_peer_access server_2_bu allow our_sites3
> cache_peer_access server_2_bu allow our_sites4
> -----------------------------------------------------
>
> Any help is much appreciated. Thanks for looking!

Question:
  does it matter if HTTPS traffic to the proxy goes over HTTP links back
to the origin server or vice versa?

If not you can drop half the cache_peer links and use the originals, or
convert them to SSL links. It is a simpler and more easily maintained
config if all the traffic back to origins can share links.

Otherwise you will need to add an "proto HTTPS" ACL to the config and lock
down which protocol goes where in addition to the domain names.

Amos
Received on Tue Dec 14 2010 - 23:24:29 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 15 2010 - 12:00:03 MST