Results 1 to 10 of 10

Thread: Squid reverse proxy with multiple ssl certificates

  1. #1
    Senior Member
    Join Date
    Jun 2007
    Location
    Hyderabad, AP, India
    Posts
    806
    Thanks
    44
    Thanked 55 Times in 48 Posts
    Rep Power
    13

    Default Squid reverse proxy with multiple ssl certificates

    Hi experts,

    I am bit confused about this multiple ssl certificates. Let me explain my scenario. We have two https sites internally

    site1: xyz.example.com:443
    site2: abc.example.com:443

    As of my knowledge ssl certficate is only between two parties, but here squid is between internal websites and external world. And at present we are creating a cert at squid reverse proxy which will encrypt connection between squid and client, this encryption is done by only one certificate for both the machines. Comming to my question can both sites have two certificates served by my squid revers proxy?. can we transperently pass these certificates to external world through squid? please let me know if its possible.

    My problem is similar to this one..

    http://ubuntuforums.org/showthread.php?t=611735

    Please comment if you did not understand the scenario.
    Thanks,
    Surendra Kumar Anne
    Linux: Fast, friendly, flexible and .... free!
    Support Open source.
    http://www.linuxnix.com

  2. #2
    Never say die nixcraft's Avatar
    Join Date
    Jan 2005
    Location
    BIOS
    Posts
    4,515
    Thanks
    17
    Thanked 814 Times in 511 Posts
    Rep Power
    10

    Default

    You only configure squid at port 443 with ssl certificate in reverse proxy mode. Your squid will connect LAN computers using http port syntax. You need to public ips for two ssl certificates.
    All [Solved] threads are closed by mods / admin to avoid spam issues. See Howto mark a thread as [Solved]


  3. #3
    Senior Member
    Join Date
    Jun 2007
    Location
    Hyderabad, AP, India
    Posts
    806
    Thanks
    44
    Thanked 55 Times in 48 Posts
    Rep Power
    13

    Default

    so to serve two different SSL cert we require two public ip's so bad.. As i am not clear about this concept, can i have a link or some kind of explanation for this two public ip add solution.
    Thanks,
    Surendra Kumar Anne
    Linux: Fast, friendly, flexible and .... free!
    Support Open source.
    http://www.linuxnix.com

  4. #4
    Never say die nixcraft's Avatar
    Join Date
    Jan 2005
    Location
    BIOS
    Posts
    4,515
    Thanks
    17
    Thanked 814 Times in 511 Posts
    Rep Power
    10

    Default

    I don't have link but I know for sure as one of my client does the same and hosts 7 website using reverse proxy. I do not use squid due to limited support. I use nginx as reverse proxy in caching mode. We have 7 public ip assigned to nginx at port 443. Each request is send to 12 Apache backend servers over http. If you need help regarding nginx solution let me know. SSL is special so it needs public IP for each certificate regardless of reverse proxy software such as Lighttpd, Squid, Pound,Varnish, Nginx and others.
    Last edited by nixcraft; 24th June 2010 at 03:27 PM.
    All [Solved] threads are closed by mods / admin to avoid spam issues. See Howto mark a thread as [Solved]


  5. #5
    Senior Member
    Join Date
    Jun 2007
    Location
    Hyderabad, AP, India
    Posts
    806
    Thanks
    44
    Thanked 55 Times in 48 Posts
    Rep Power
    13

    Default

    Thanks Vivek, for complete explanation..
    Thanks,
    Surendra Kumar Anne
    Linux: Fast, friendly, flexible and .... free!
    Support Open source.
    http://www.linuxnix.com

  6. #6
    Senior Member
    Join Date
    Jun 2007
    Location
    Hyderabad, AP, India
    Posts
    806
    Thanks
    44
    Thanked 55 Times in 48 Posts
    Rep Power
    13

    Default

    have some more questions..

    i hear that..
    if we need multiple SSL certs, we need different IP/TCP port combo for each certificate ie for each ssl site we require to have one ip and one port opened for that site. is this true or we can just have multiple public ip's bind to single port(443).. please enlighten me..

    i have some other questions.. depending on ur replies i will shoot them here..

    waiting for your valuable suggestions..
    Thanks,
    Surendra Kumar Anne
    Linux: Fast, friendly, flexible and .... free!
    Support Open source.
    http://www.linuxnix.com

  7. #7
    Never say die nixcraft's Avatar
    Join Date
    Jan 2005
    Location
    BIOS
    Posts
    4,515
    Thanks
    17
    Thanked 814 Times in 511 Posts
    Rep Power
    10

    Default

    You need unique IP address per SSL host. Port should be always 443 (until and unless you are redirecting traffic to other port).
    All [Solved] threads are closed by mods / admin to avoid spam issues. See Howto mark a thread as [Solved]


  8. #8
    Senior Member
    Join Date
    Jun 2007
    Location
    Hyderabad, AP, India
    Posts
    806
    Thanks
    44
    Thanked 55 Times in 48 Posts
    Rep Power
    13

    Default

    thanks for inputs nixcraft.. here are some more questions..

    suppose my reverse proxy server name is rp1.example.com

    my two sites are..

    abc.example.com
    xyz.example.com

    so i given cname entries of these two to rp1.example.com(public ip is 222.111.123.1)

    so how i should go with other public ip so that it can point to xyz.example.com..

    waiting for your inputs..
    Thanks,
    Surendra Kumar Anne
    Linux: Fast, friendly, flexible and .... free!
    Support Open source.
    http://www.linuxnix.com

  9. #9
    Never say die nixcraft's Avatar
    Join Date
    Jan 2005
    Location
    BIOS
    Posts
    4,515
    Thanks
    17
    Thanked 814 Times in 511 Posts
    Rep Power
    10

    Default

    You can do virtual hosting on backend and configure reverse proxy. No need to setup cname. Just set abc.example.com and xyz.example.com to 222.111.123.1 and you are done.

    Code:
    upstream abcexamplecom  {
            server 192.168.1.2 weight=5 max_fails=2 fail_timeout=10s;
            server 192.168.1.3 weight=5 max_fails=2 fail_timeout=10s;
    }
    
    upstream xyzexamplecom {
            server 192.168.1.2:88 weight=5 max_fails=2 fail_timeout=10s;   
            #server 192.168.1.3:88 weight=5 max_fails=2 fail_timeout=10s; 
    }
    
    server {
        server_name abc.example.com;
        location / {
            proxy_pass  http://abcexamplecom;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
            proxy_cache            cache;
            proxy_cache_valid      200 24h;
            proxy_cache_use_stale  error timeout invalid_header updating http_500 http_502 http_503 http_504;
            proxy_ignore_headers   Expires Cache-Control;
            proxy_redirect off;
            proxy_buffering on;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          }
      }
    
    
    server {
        server_name xyz.example.com;
        location / {
            proxy_pass  http://xyzexamplecom;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
            proxy_cache            cache;
            proxy_cache_valid      200 24h;
            proxy_cache_use_stale  error timeout invalid_header updating http_500 http_502 http_503 http_504;
            proxy_ignore_headers   Expires Cache-Control;
            proxy_redirect off;
            proxy_buffering on;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          }
      }
    Note proxy_set_header will pass actual virtual host name to Apache. Next, you configure apache as usual on port 80 and 88 for two web sites with two different DocumentRoot and log files. However, for ssl you must use 2 unique ips. For http port 80 you can host 100s of website using above technique. The example are nginx reverse proxy specific but applies to any other reverse proxy software out there.
    All [Solved] threads are closed by mods / admin to avoid spam issues. See Howto mark a thread as [Solved]


  10. #10
    Senior Member
    Join Date
    Jun 2007
    Location
    Hyderabad, AP, India
    Posts
    806
    Thanks
    44
    Thanked 55 Times in 48 Posts
    Rep Power
    13

    Default

    Able to resolve the issue with following details..

    Taken two public IP's(123.22.32.1(443 port open) and 202.1.244.22(444 port open)) so who ever access on port 443 they will be served with one cert and from 444 with other cert..
    Thanks,
    Surendra Kumar Anne
    Linux: Fast, friendly, flexible and .... free!
    Support Open source.
    http://www.linuxnix.com

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Similar Threads

  1. Facing an issue with squid reverse proxy
    By kumarat9pm in forum Proxy Servers
    Replies: 5
    Last Post: 15th July 2010, 06:00 PM
  2. how to configure squid 2.6 server as reverse proxy
    By kumarat9pm in forum Proxy Servers
    Replies: 4
    Last Post: 7th December 2009, 09:50 AM
  3. Want to implement reverse proxy with apache
    By kumarat9pm in forum Proxy Servers
    Replies: 2
    Last Post: 5th December 2009, 01:14 AM
  4. Which is best for reverse proxy?
    By kumarat9pm in forum Proxy Servers
    Replies: 3
    Last Post: 15th September 2009, 03:55 PM
  5. [Solved] How to Setup Squid SSL Reverse Proxy
    By kumarat9pm in forum Proxy Servers
    Replies: 3
    Last Post: 28th July 2009, 12:49 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •