0

I have file server (that hosts update files) and I want to use a proxy server to cache some of these updates. The problem is that I want to do this via HTTPS, not plain HTTP.

Basically my use case is the following:

I have 3 machines: a client machine, a proxy server and an updates server. The client asks the proxy if there is an update available. The proxy will then download any update, cache it and deliver it to the client. This means that the proxy will intercept the server data, decrypt it, store it and then pass it on. The next time the client asks the proxy for an update, it will give it the cached one and will not "bother" the actual update server. I know the example seems a bit redundant, but imagine that there is more than one client.

My update server is using HTTPS. For this I've created a self-signed certificate using OpenSSL. I've imported this certificate on the proxy server and the client machine, but I'm unable to read/decrypt the HTTPS traffic (i.e. the read the files/updates). Either that or the client keeps receiving "self-signed certificate" errors.

What I want to know is this: Am I doing it all wrong? Is what I'm trying to do not achievable using a self-signed certificate? Do I need to register a domain and get a rootCA for my update server?

I have some working code, but at this point I just want to know if this can work using only a self-signed certificate. If it can, then I'll also post code if necessary and ask additional questions.

Thanks!

conectionist
  • 2,694
  • 6
  • 28
  • 50
  • Your question is offtopic here but it seems you are reinventing all HTTP caching mechanisms. What you describe is in core HTTP. Also the traffic between client and (reverse) proxy is HTTPS and then from proxy to real server can be HTTP or HTTPS: HTTP if you control all the network between the two, or else HTTPS as well. If HTTPS, there are 2 completely separate "legs" and indeed in proxy memory at least the content will appear in plain text. You can of course use a self signed certificate for the backend server... if the proxy is correctly configured to accept it. – Patrick Mevzek Feb 11 '20 at 14:48
  • Your question is probably more for [sf] but you will need to provide snippets of configuration and details (you are not even mentioning the software used for the proxy or back end server), as well as troubleshooting attempts (both commands tested and their outputs). – Patrick Mevzek Feb 11 '20 at 14:49
  • If the client will accept the self-signed certificate depends fully on the client. In general it is possible if the client does not insist on the original certificate and if you can add your own certificate to the clients trust store and if the certificate matches the expected hostname. – Steffen Ullrich Feb 11 '20 at 15:00
  • @PatrickMevzek you're right, this would have been more appropriate for ServerFault. Is there any way to migrate it there? – conectionist Feb 12 '20 at 09:21
  • @PatrickMevzek Let's just say I need HTTPS everywhere and that plain HTTP is not option for me. So, you're saying that a self-signed certificate should work? In that case I will also post some code. – conectionist Feb 12 '20 at 09:26
  • @SteffenUllrich On the client side, I'm using web browsers for testing (Firefox and Chrome), but even after importing the self-signed certificate, the browsers still do not trust the certificate (without my adding an exception). – conectionist Feb 12 '20 at 09:30
  • 1
    @conectionist: If no automatic trust happens after importing as trusted then either the import was done wrong or the certificate does not match the domain you use or is expired or similar certificate problems. – Steffen Ullrich Feb 12 '20 at 09:40
  • It depends on where you import the certificate into. Some browsers use their own trust store, some use the system's trust store, and this even varies between different OS platforms. Which have you been trying it with? – not2savvy Feb 21 '20 at 14:54
  • @not2savvy I've mostly used Firefox, but I also did a couple of tests with Chrome and neither of them work. – conectionist Feb 26 '20 at 14:11
  • @conectionist I just noticed that in a previous comment you say, "the browsers still do not trust the certificate (without my adding an exception)". I should clarify that it's not enough to just import the certificate, but you must also **trust it** manually (once) because a self-signed certificate hasn't been signed by a trusted CA. – not2savvy Feb 26 '20 at 14:20
  • @not2savvy That's what I'd like to NOT do. I want it to work out the box like it would work with a regular https site. – conectionist Feb 28 '20 at 13:27
  • 1
    @conectionist I‘m afraid that‘s not possible. Self-signed certificates need to be trusted. The commercial CA root certificates (which are self-signed, too) come pre-trusted with you OS and/or browser app. This means, the OS or app manufacturers have trusted them for you. For your own self-signed certificate, this step must be performed manually. – not2savvy Feb 28 '20 at 14:32

0 Answers0