0

I'm trying to use squid as a reverse proxy in front of a single website, to decrypt the SSL on the proxy and then to encrypt the connection to the webserver (this is in order to use squid as an ICAP client for a zero trust CDR product).

I can see that this requires two config lines: https_port 1.2.3.4:443 accel for the listener and cache_peer 1.2.4.8 parent 443 for the webserver.

Following the examples I've found here and elsewhere, I hit various errors from Squid, in particular this one:

FATAL: No valid signing certificate configured for HTTPS_port

A known-working configuration for Squid 4.x would be very helpful!

user3811862
  • 1
  • 2

1 Answers1

0

Evidently the examples I found were all for earlier versions of squid.

For this problem, my main takeaway was that cert= and key= in the https_port config line are no longer correct and we need to use tls-cert= and tls-key= instead.

So (for Squid v4.15) I just need the webserver certificate and its private key, and these lines in squid.conf:

https_port 1.2.3.4:443 accel defaultsite=mysite.com tls-cert=/etc/squid/myserver.pem
cache_peer 1.2.4.8 parent 443 0 no-query originserver login=PASS ssl

This works for a .PEM which includes the certificate and the unencrypted private key. If the key is in a separate file, this should work:

https_port 1.2.3.4:443 accel defaultsite=mysite.com tls-cert=/etc/squid/myserver.pem tls-key=/etc/squid/myserver.key
cache_peer 1.2.4.8 parent 443 0 no-query originserver login=PASS ssl

If that key is encrypted, you'll either need to start squid manually (eg run squid -N in a screen session) or add an sslpassword_program config line to provide the PEM passphrase.

NB: I found that an http_port config line (eg http_port 3128) was still required for squid to start up.

All the configuration file directives are documented here: http://www.squid-cache.org/Doc/config/

user3811862
  • 1
  • 2