-   Linux - Networking (
-   -   Squid reverse proxy + SSL or hosting multiple domains from one IP (

friskydrifter 11-16-2009 08:21 PM

Squid reverse proxy + SSL or hosting multiple domains from one IP
OK how to explain this?

For a start before you think i'm lazy, I'm running CentOS 5.4 with squid 2.6 so a lot of the other posts configs are obsolete.

First I have a xen setup with 2 DomU (virtual pcs) that both run the apache webserver for different domains.

On the Dom0 I'm running squid as a reverse proxy so web requests can be forwarded to the correct server via hostname as I only have one external IP address.
My adsl modem forwards all port 80 (http) and 443 (https) requests to the squid server (Dom0)

Attempt of a topology diagram here:

[squid]------[adsl modem]----internet cloud
|---(web-1)-> webserver 1
|---(web-2)-> webserver 2

This works fine except for https. I understand the chicken and the egg scenario of ssl i.e. it needs to create the ssl connection before it gets the headers.

So what is a valid solution here?
How do webhosting companys serve several domains from one IP?
What is a good standard practice?

If it's to set the ssl connection from cloud to proxy then no ssl from proxy to webserver then how do I configure this in squid?

If theres any other way of acheiving this feel free to let me know.


EricTRA 11-17-2009 12:56 AM


First of all you need to understand that normally you need one certificate per IP on which you want to connect a https site. You can work around this by using a wildcard certificate. You can buy these or generate you own with openssl.

This is how I have it configured, also for a reverse proxy serving at the moment 6 sites. Of those 6 sites 2 are https to https all the way and 4 are https to squid and http after squid. All IP addresses have been changed of course, so have the domain names.


https_port accel cert=/etc/ssl/domain.crt key=/etc/ssl/domain.key vhost protocol=https
forwarded_for on

The https to https peers I have configured like this:

cache_peer parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=autlog
acl site_autlog dstdomain
cache_peer_access autlog allow site_autlog
acl https proto https

The http backends are configured like this:

cache_peer parent 80 0 no-query originserver name=wiki
acl site_wiki dstdomain
cache_peer_access wiki allow site_wiki

Hope this helps you out a little.

Kind regards,


friskydrifter 11-17-2009 05:16 AM

OK thanks for that, i'll go through it and let you know how I go.

In the meantime I found pound.

This was fairly easy to configure. I'll paste the "easy as 123" code below for anyone interested because I found other sites went into way too much specific detail without covering what works and where to go from there. I also dont run in a chroot jail (who cares, I can replace the server easily with xen, and all it does is this task)

The problem I found with it was I couldnt re-direct anything other than http or https.
Also the ssl connection is just between the internet user and the proxy server, not from the internet user and the webserver.

I created another virtual server just to test pound (In 5 min! I love xen and small disk images, no more countless long installs for test bed machines :-))
Then logged into it
# xm console <the_domain_name> (Had to press enter to make it show the prompt fom the new virtual server tho?)

Then installed gcc and openssl-devel so I could compile:
#yum install gcc openssl-devel

Download pound from the site I pasted above:

And extract the tgz file:
#tar -xvzf Pound-2.4.5.tgz

Go into the new dir and compile the code, make the binaries and install the binaries and man pages etc to their correct locations:
I was thinking about creating an rpm with rpmbuild but I'm not going to cover that here!
#cd Pound-2.4.5
#make && make install

I created the pound user to be able to run the program as non-privileged user.
#useradd -M pound
#passwd pound ......etc. etc

then created thc config file:

touch /usr/local/etc/pound.cfg

Then I used *my fave - nano)an editor to create the contents:
#nano /usr/local/etc/pound.cfg

The conents follow:

User "pound"
Group "pound"

Address #<The internal address of the proxy server (Which one it listens on)>
Port 80

Port 443
Cert "/usr/local/etc/pound/certs/thaCert.pem"

HeadRequire "Host:.**"
Address #<internal address of web-1>
Port 80


HeadRequire "Host:.**"
Address #<internal address of web-2>
Port 80

To check the config type:
#pound -c

To start pound type:


I would like to get squid working as well and will post any success!

EricTRA 11-17-2009 05:20 AM


I tried Pound a while ago too when confronting configuration problems with Squid but came back to Squid because it gave me more possibilities (and for the support I got from their mailing list).

Keep us up to date of your progress, it will be appreciated.

Kind regards,


friskydrifter 11-17-2009 07:18 AM

Hmmm Squid config is just awful to read through - so lost in it.

Well I thourght bugger it! I'd just paste what you have, at the top of the config and see what happens!
Well a little different:

https_port accel cert=/usr/local/etc/server.crt key=/usr/local/etc/server.key vhost protocol=https forwarded_for on

cache_peer parent 443 0 no-query originserver ssl sslversion=3
sslflags=DONT_VERIFY_PEER front-end-https=on name=domainOneSec
acl site_domainOneSec dstdomain
cache_peer_access eequote allow site_domainOneSec
acl https proto https

cache_peer parent 80 0 no-query originserver name=domainOne
acl site_domainOne dstdomain
cache_peer_access eequotehttp allow site_eequotehttp

I cannot get this to start no matter which way I configure it. The log output:

FATAL: Bungled squid.conf line 1: https_port accel cert=/usr/local/etc/server.crt key=/usr/local/etc/server.key vhost protocol=https forwarded_for on
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
FATAL: Bungled squid.conf line 1: https_port accel cert=/usr/local/etc/server.crt key=/usr/local/etc/server.key vhost protocol=https forwarded_for on
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.

Can you help me with any of this?


EricTRA 11-17-2009 07:29 AM


The certificate you used is that one you bought? Or a self generated? If it's a self generated then you'll also have to specify the CA file. Furthermore, and most important, have you installed Squid using your package manager? Or did you compile Squid? If you installed it using your package manager then you're out of luck because that version doesn't support SSL. If you plan on using https then you'll need to compile Squid with SSL enabled. I'd be happy to provide you with full instructions like I performed them.

Kind regards,


EricTRA 11-17-2009 07:34 AM

I'm leaving work right now, so I'll be offline for one hour. I'll check when I'm home again.

Kind regards,


friskydrifter 11-18-2009 09:39 PM

Ah all good i got it to start without any errors. It was a line wrapping prob.
Yes I installed with the package manager damn!. It's ok I'll compile one with ssl enabled. I shouldn't need help with that.

And the cert was one I just created myself for testing

A question I do have now though is when you say you have https to https peers do you mean

1. Https from the client to the proxy then the proxy https to the server


2. https from the client straight to the server and the proxy does some sort of https passthrough or something which I didn't think was possible?

Cheers for you help so far.

EricTRA 11-19-2009 12:00 AM


The way I had it setup at first was a mixed situation, we had some HTTPS configured webservers and others only HTTP. So on Squid I configured it so that any connection from a client on HTTP had its URL rewritten to https. This way the connection from the client to Squid (in the DMZ) was always HTTPS. From Squid to the backend servers depended on what was capable on the webservers, HTTP or HTTPS.

Second step, completely done now, was to enable HTTPS on all webservers. At this time I have all clients connecting to Squid on HTTPS and Squid connecting to all webservers on HTTPS (some non-standard ports).

Since Squid is functioning as a reversed proxy all are webservers are 'hidden' to the outside world. Only on specific domain name request I'm accepting connections and redirecting them to the specific webserver in the LAN.

To use Squid with HTTPS you'll need to compile it. I'll post how I did it so you can use that if you want.

You'll also need openssl installed, which I presume you already have since you say you generated your key.

Download the source file from Extract it using

tar xvf *.gz
CD into the squid3 source directory and execute the following command

./configure --prefix=/usr --includedir=${prefix}/include --enable-ssl --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/squid3 --disable-maintainer-mode --disable-dependency-tracking --srcdir=. --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3 --mandir=/usr/share/man --enable-inline --enable-async-io=8 --enable-storeio=ufs,aufs,diskd,null --enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests --enable-underscores --enable-icap-client --enable-follow-x-forwarded-for --enable-auth=basic,digest,ntlm --enable-basic-auth-helpers=LDAP,MSNT,NCSA,SASL,SMB,YP,getpwnam,multi-domain-NTLM --enable-ntlm-auth-helpers=SMB --enable-digest-auth-helpers=ldap,password --enable-external-acl-helpers=ip_user,ldap_group --with-filedescriptors=65536 --with-default-user=proxy --enable-epoll --enable-linux-netfilter -with-openssl=/usr/include/openssl/
When you get no errors execute the following command:

If also this command terminates successfully then execute the command:

make install
Your SQUID 3 is now ready for configuration.

Change to directory ''/etc/squid3'' and move the file '''squid.conf''' to '''squid.ori''' using the command:

mv squid.conf squid.ori
Now create/edit a new squid.conf using your editor (nano, vi, vim, ...).

At this time you can start configuring Squid.

If you compile Squid yourself then there's no startup script generated, so don't be surprised. If you need one, just let me know, I'll post the one I got from the internet.

Kind regards,


All times are GMT -5. The time now is 05:54 PM.