4

I'm trying to set up squid as a load-balancing reverse-proxy, and I'm having a bit of trouble with the SSL. One of the site's applications checks to see if a site is loaded over SSL, and behaves differently if that is the case, so I need SSL connections to be proxied over SSL, and non-SSL connections to be proxied without it.

Right now, the squid server accepts connections over HTTP and HTTPS, but it only makes connections over HTTP to the upstream servers.

The interesting part of my squid configuration looks like this:

http_port 80 vhost vport
https_port 443 vhost vport  cert=/etc/cert.pem key=/etc/cert.key
cache_peer 10.0.0.10 parent 80 0 originserver round-robin
cache_peer 10.0.0.11 parent 80 0 originserver round-robin

Is there a simple way to tell it to proxy the SSL connections upstream over SSL, while leaving the others alone?

tylerl
  • 15,055
  • 7
  • 51
  • 72

1 Answers1

4

UPDATE (actually tried this from my squid...):

acl is_ssl port 443
https_port 443 cert=<yourcert> key=<yourkey> accel name=site_ssl defaultsite=<y\
our_external_site>
cache_peer <your_internal_ssl> parent 443 0 no-query originserver ssl sslflags=\
DONT_VERIFY_PEER name=site_ssl
cache_peer_access site_ssl allow is_ssl
cache_peer_access site_ssl deny !is_ssl

acl nonssl port 80
http_port 80 accel defaultsite=<your_external_site>  name=site_nonssl
cache_peer <your_internal_nonssl> parent 80 0 no-query name=site_nonssl origins\
erver
cache_peer_access site_nonssl allow nonssl
cache_peer_access site_nonssl deny !is_nonssl

ORIGINAL ANSWER BELOW HERE:

you want something like 

cache_peer 10.0.0.11 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=site_ssl
acl sites_server_3 dstdomain site_ssl
cache_peer_access site_ssl allow ssl_servers
http_access allow ssl_servers
quadruplebucky
  • 5,139
  • 20
  • 23
  • I tried the configuration above and when the lines related to port 80 are added to the conf file it works fine. However as soon as I add the lines related port 443 (more precisely lines 2 and 3) the squid service exit with the following error: `No valid signing SSL certificate configured for HTTPS_port [::]:443`. I'm using a self-signed certificate created with then openssl command line. What about your certificate ? How did you generate it ? – Bemipefe Apr 17 '20 at 15:01
  • I figured out that the certificate must be trusted in order to be used by squid so I created a certificate with my CA and added the root certificate as specified here [here](https://stackoverflow.com/a/45000022/1423806) – Bemipefe Apr 20 '20 at 11:08