LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 11-16-2009, 09:21 PM   #1
friskydrifter
Member
 
Registered: Jan 2003
Location: AU
Distribution: Whatever - mainly Red Hat
Posts: 32

Rep: Reputation: 15
Squid reverse proxy + SSL or hosting multiple domains from one IP


OK how to explain this?

For a start before you think i'm lazy, I'm running CentOS 5.4 with squid 2.6 so a lot of the other posts configs are obsolete.

First I have a xen setup with 2 DomU (virtual pcs) that both run the apache webserver for different domains.

On the Dom0 I'm running squid as a reverse proxy so web requests can be forwarded to the correct server via hostname as I only have one external IP address.
My adsl modem forwards all port 80 (http) and 443 (https) requests to the squid server (Dom0)

Attempt of a topology diagram here:

[squid]------[adsl modem]----internet cloud
|
|---(web-1)-> webserver 1
|---(web-2)-> webserver 2

This works fine except for https. I understand the chicken and the egg scenario of ssl i.e. it needs to create the ssl connection before it gets the headers.

So what is a valid solution here?
How do webhosting companys serve several domains from one IP?
What is a good standard practice?

If it's to set the ssl connection from cloud to proxy then no ssl from proxy to webserver then how do I configure this in squid?

If theres any other way of acheiving this feel free to let me know.

Cheers

Last edited by friskydrifter; 11-16-2009 at 09:36 PM. Reason: diagram didnt come out right
 
Old 11-17-2009, 01:56 AM   #2
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Hello,

First of all you need to understand that normally you need one certificate per IP on which you want to connect a https site. You can work around this by using a wildcard certificate. You can buy these or generate you own with openssl.

This is how I have it configured, also for a reverse proxy serving at the moment 6 sites. Of those 6 sites 2 are https to https all the way and 4 are https to squid and http after squid. All IP addresses have been changed of course, so have the domain names.

Code:
https_port 111.111.111.111:443 accel cert=/etc/ssl/domain.crt key=/etc/ssl/domain.key defaultsite=www.domain.com vhost protocol=https
forwarded_for on
The https to https peers I have configured like this:
Code:
cache_peer 192.168.2.3 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=autlog
acl site_autlog dstdomain autlog.domain.com
cache_peer_access autlog allow site_autlog
acl https proto https
The http backends are configured like this:
Code:
cache_peer 192.168.2.55 parent 80 0 no-query originserver name=wiki
acl site_wiki dstdomain wiki.domain.com
cache_peer_access wiki allow site_wiki
Hope this helps you out a little.

Kind regards,

Eric
 
Old 11-17-2009, 06:16 AM   #3
friskydrifter
Member
 
Registered: Jan 2003
Location: AU
Distribution: Whatever - mainly Red Hat
Posts: 32

Original Poster
Rep: Reputation: 15
OK thanks for that, i'll go through it and let you know how I go.

In the meantime I found pound.

http://www.apsis.ch/pound/

This was fairly easy to configure. I'll paste the "easy as 123" code below for anyone interested because I found other sites went into way too much specific detail without covering what works and where to go from there. I also dont run in a chroot jail (who cares, I can replace the server easily with xen, and all it does is this task)

The problem I found with it was I couldnt re-direct anything other than http or https.
Also the ssl connection is just between the internet user and the proxy server, not from the internet user and the webserver.


Anyway:
I created another virtual server just to test pound (In 5 min! I love xen and small disk images, no more countless long installs for test bed machines :-))
Then logged into it
# xm console <the_domain_name> (Had to press enter to make it show the prompt fom the new virtual server tho?)

Then installed gcc and openssl-devel so I could compile:
#yum install gcc openssl-devel

Download pound from the site I pasted above:
#wget http://www.apsis.ch/pound/Pound-2.4.5.tgz

And extract the tgz file:
#tar -xvzf Pound-2.4.5.tgz

Go into the new dir and compile the code, make the binaries and install the binaries and man pages etc to their correct locations:
I was thinking about creating an rpm with rpmbuild but I'm not going to cover that here!
#cd Pound-2.4.5
#./compile
#make && make install

I created the pound user to be able to run the program as non-privileged user.
#useradd -M pound
#passwd pound ......etc. etc

then created thc config file:

touch /usr/local/etc/pound.cfg

Then I used *my fave - nano)an editor to create the contents:
#nano /usr/local/etc/pound.cfg

The conents follow:

User "pound"
Group "pound"



ListenHTTP
Address 10.1.1.254 #<The internal address of the proxy server (Which one it listens on)>
Port 80
End

ListenHTTPS
Address 10.1.1.251
Port 443
Cert "/usr/local/etc/pound/certs/thaCert.pem"
End

Service
HeadRequire "Host:.*www.domainOne.com.*"
BackEnd
Address 10.1.1.253 #<internal address of web-1>
Port 80
End

End

Service
HeadRequire "Host:.*www.domainTwo.com.*"
BackEnd
Address 10.1.1.252 #<internal address of web-2>
Port 80
End
End



To check the config type:
#pound -c

To start pound type:
pound


Easy!


I would like to get squid working as well and will post any success!

Last edited by friskydrifter; 11-17-2009 at 06:30 AM.
 
Old 11-17-2009, 06:20 AM   #4
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Hello,

I tried Pound a while ago too when confronting configuration problems with Squid but came back to Squid because it gave me more possibilities (and for the support I got from their mailing list).

Keep us up to date of your progress, it will be appreciated.

Kind regards,

Eric
 
Old 11-17-2009, 08:18 AM   #5
friskydrifter
Member
 
Registered: Jan 2003
Location: AU
Distribution: Whatever - mainly Red Hat
Posts: 32

Original Poster
Rep: Reputation: 15
Hmmm Squid config is just awful to read through - so lost in it.

Well I thourght bugger it! I'd just paste what you have, at the top of the config and see what happens!
Well a little different:

https_port 10.1.1.251:443 accel cert=/usr/local/etc/server.crt key=/usr/local/etc/server.key vhost protocol=https forwarded_for on

cache_peer 10.1.1.253 parent 443 0 no-query originserver ssl sslversion=3
sslflags=DONT_VERIFY_PEER front-end-https=on name=domainOneSec
acl site_domainOneSec dstdomain www.domainOneS.com
cache_peer_access eequote allow site_domainOneSec
acl https proto https

cache_peer 10.1.1.253 parent 80 0 no-query originserver name=domainOne
acl site_domainOne dstdomain www.domainOne.com
cache_peer_access eequotehttp allow site_eequotehttp


I cannot get this to start no matter which way I configure it. The log output:

FATAL: Bungled squid.conf line 1: https_port 10.1.1.251:443 accel cert=/usr/local/etc/server.crt key=/usr/local/etc/server.key vhost protocol=https forwarded_for on
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
FATAL: Bungled squid.conf line 1: https_port 10.1.1.251:443 accel cert=/usr/local/etc/server.crt key=/usr/local/etc/server.key vhost protocol=https forwarded_for on
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.


Can you help me with any of this?

Cheers
 
Old 11-17-2009, 08:29 AM   #6
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Hi,

The certificate you used is that one you bought? Or a self generated? If it's a self generated then you'll also have to specify the CA file. Furthermore, and most important, have you installed Squid using your package manager? Or did you compile Squid? If you installed it using your package manager then you're out of luck because that version doesn't support SSL. If you plan on using https then you'll need to compile Squid with SSL enabled. I'd be happy to provide you with full instructions like I performed them.

Kind regards,

Eric
 
Old 11-17-2009, 08:34 AM   #7
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
I'm leaving work right now, so I'll be offline for one hour. I'll check when I'm home again.

Kind regards,

Eric
 
Old 11-18-2009, 10:39 PM   #8
friskydrifter
Member
 
Registered: Jan 2003
Location: AU
Distribution: Whatever - mainly Red Hat
Posts: 32

Original Poster
Rep: Reputation: 15
Ah all good i got it to start without any errors. It was a line wrapping prob.
Yes I installed with the package manager damn!. It's ok I'll compile one with ssl enabled. I shouldn't need help with that.

And the cert was one I just created myself for testing

A question I do have now though is when you say you have https to https peers do you mean

1. Https from the client to the proxy then the proxy https to the server

or

2. https from the client straight to the server and the proxy does some sort of https passthrough or something which I didn't think was possible?



Cheers for you help so far.

Last edited by friskydrifter; 11-18-2009 at 10:46 PM.
 
Old 11-19-2009, 01:00 AM   #9
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Hello,

The way I had it setup at first was a mixed situation, we had some HTTPS configured webservers and others only HTTP. So on Squid I configured it so that any connection from a client on HTTP had its URL rewritten to https. This way the connection from the client to Squid (in the DMZ) was always HTTPS. From Squid to the backend servers depended on what was capable on the webservers, HTTP or HTTPS.

Second step, completely done now, was to enable HTTPS on all webservers. At this time I have all clients connecting to Squid on HTTPS and Squid connecting to all webservers on HTTPS (some non-standard ports).

Since Squid is functioning as a reversed proxy all are webservers are 'hidden' to the outside world. Only on specific domain name request I'm accepting connections and redirecting them to the specific webserver in the LAN.

To use Squid with HTTPS you'll need to compile it. I'll post how I did it so you can use that if you want.

You'll also need openssl installed, which I presume you already have since you say you generated your key.

Download the source file from http://www.squid-cache.org/Versions/v3/3.0/. Extract it using
Code:
tar xvf *.gz
CD into the squid3 source directory and execute the following command
Code:
./configure --prefix=/usr --includedir=${prefix}/include --enable-ssl --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/squid3 --disable-maintainer-mode --disable-dependency-tracking --srcdir=. --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3 --mandir=/usr/share/man --enable-inline --enable-async-io=8 --enable-storeio=ufs,aufs,diskd,null --enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests --enable-underscores --enable-icap-client --enable-follow-x-forwarded-for --enable-auth=basic,digest,ntlm --enable-basic-auth-helpers=LDAP,MSNT,NCSA,SASL,SMB,YP,getpwnam,multi-domain-NTLM --enable-ntlm-auth-helpers=SMB --enable-digest-auth-helpers=ldap,password --enable-external-acl-helpers=ip_user,ldap_group --with-filedescriptors=65536 --with-default-user=proxy --enable-epoll --enable-linux-netfilter -with-openssl=/usr/include/openssl/
When you get no errors execute the following command:
Code:
make
If also this command terminates successfully then execute the command:
Code:
make install
Your SQUID 3 is now ready for configuration.

Change to directory ''/etc/squid3'' and move the file '''squid.conf''' to '''squid.ori''' using the command:
Code:
mv squid.conf squid.ori
Now create/edit a new squid.conf using your editor (nano, vi, vim, ...).

At this time you can start configuring Squid.

If you compile Squid yourself then there's no startup script generated, so don't be surprised. If you need one, just let me know, I'll post the one I got from the internet.

Kind regards,

Eric
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Reverse proxy using SQUID but only SSL connections EricTRA Linux - Security 1 07-01-2009 08:24 AM
squid reverse proxy configuration with ssl gogga Linux - Server 0 09-12-2008 09:29 AM
Squid 2.5 Reverse Proxy with SSL jonfa Linux - Networking 1 04-29-2008 05:17 PM
Squid reverse proxy with SSL jonfa Linux - Networking 1 02-05-2007 08:07 PM
Hosting multiple domains Imanerd Linux - Networking 2 01-04-2005 09:10 PM


All times are GMT -5. The time now is 03:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration