[SOLVED] SQUID reverse proxy with SSL.

4Paul4 · 11-15-2011, 12:11 AM

I have setup squid to run as a reverse proxy and redirect to 2 web servers for HTTP traffic. This is currently working. I now want to add HTTPS (SSL) support and not had any luck.

I installed squid 2.7 on Ubuntu 10.4 because this was the default with apt-get install squid.

I tried following THIS guide and I get the following error:

Code:

parseConfigFile: squid.conf:1 unrecognized: 'https_port'

I then checked to see if squid was compiled with ssl support but I can't see it:

Code:

root@ip-10-0-0-34:~# squid -v
Squid Cache: Version 2.7.STABLE7
configure options:  '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '-localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linx-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-igests' '--enable-underscores' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-negotiate-auth-helpers=suid_kerb_auth' '--enable-carp' '--enable-follow-x-forwarded-for' '--with-large-files' '--with-maxfd=65536' 'amd64-debian-linux' 'build_alias=amd64-debian-linx' 'host_alias=amd64-debian-linux' 'target_alias=amd64-debian-linux' 'CFLAGS=-Wall -g -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
root@ip-10-0-0-34:~# squid -v |grep ssl
root@ip-10-0-0-34:~#

I figured the squid version in the repository is not setup for SSL so I decided to compile it myself. The problem is, EVERY guide I have tried refers to adding a rule in 'debian/rules'. This does NOT exist though!

Any ideas?

EricTRA · 11-15-2011, 01:40 AM

Hello,

I used Squid 3 at my previous job and had to compile it in order to support HTTPS so I imagine nothing has changed in that regard in the packages that come with the package manager. I also installed it on Debian but don't recall anything about those 'debian/rules' you mention. Can you provide a link to one of the guides where you saw that?

Kind regards,

Eric

4Paul4 · 11-15-2011, 04:49 PM

Hi Eric,

Here are some of the guides:

http://www.banym.de/linux/build-squi...-ssl-on-debian

Code:

edit the build rules and add the –enable-ssl option to the configure section:
vim debian/rules

Second post in this thread:
http://ubuntuforums.org/showthread.php?t=68246

Code:

apt-get source squid
 apt-get build-dep squid
 apt-get install devscripts build-essential fakeroot
 cd squid-2.6.1
 vim debian/rules
 Add --enable-ssl \ to “# Configure the package” section

It's not just that they're old because I had one for 'lucid' and it also had this debian/rules step.
Could you link me to a relevant how-to which doesn't involve this debian/rules step please? I can use either CentOS5.4 or Ubuntu 10.4, it doesn't really bother me. For now I'll try searching for one specific to squid3.

EDIT:

Here's one for squid3 on lucid, and once again, 'debian/rules'.
http://blog.leuffen.de/?p=78

EricTRA · 11-16-2011, 01:21 AM

Hello Paul,

I had to go through my notes since it's been about 3 years since I've worked with Squid but I found what I used. I downloaded the source code from here and followed this guide. The configure options I used back then are:

Code:

./configure --prefix=/usr --includedir=${prefix}/include --enable-ssl --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/squid3 --disable-maintainer-mode --disable-dependency-tracking --srcdir=. --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3 --mandir=/usr/share/man --enable-inline --enable-async-io=8 --enable-storeio=ufs,aufs,diskd,null --enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests --enable-underscores --enable-icap-client --enable-follow-x-forwarded-for --enable-auth=basic,digest,ntlm --enable-basic-auth-helpers=LDAP,MSNT,NCSA,SASL,SMB,YP,getpwnam,multi-domain-NTLM --enable-ntlm-auth-helpers=SMB --enable-digest-auth-helpers=ldap,password --enable-external-acl-helpers=ip_user,ldap_group --with-filedescriptors=65536 --with-default-user=proxy --enable-epoll --enable-linux-netfilter -with-openssl=/usr/include/openssl/

You can get a list of available options with their explanations executing:

Code:

./configure --help

There's no mentioning about debian/rules in the Squid wiki I pointed to, nor in my documents from three years ago and I installed Squid on Debian Lenny back then with https as a reversed proxy for multiple domains.

Hope this helps.

Kind regards,

Eric

4Paul4 · 11-16-2011, 09:44 PM

Hello Eric,

Thanks for the links. I have compiled squid in the same way that you did, changing some directory names. After installing several dependancies, i got it to work. I tried copying my cold squid.conf file over, had to remove the 'all' acl as that is a default in squid3, had to add visible_hostname ip-10-0-0-34 also.

It now starts with no errors but I am unable to connect to it.

Code:

root@ip-10-0-0-34:/var/log/squid# nmap localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-17 03:38 UTC
Interesting ports on localhost (127.0.0.1):
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Does this indicate that more changes are required in my config file to upgrade from version 2.7?

My config file looks pretty similar to this one (i modeled it on this).

EricTRA · 11-17-2011, 01:27 AM

Hi,

That's hard to say without your conf file. Here's the squid.conf I used in combination with that version and build of Squid so you can compare it with yours. I only changed the domain name. I remember there are some differences between version 2.6, 2.7 and version 3.0 but forgot what they are. You could have a look at this document that lists all of the configuration parameters for Squid 3.

Code:

cache_mgr root
#debug_options 61,3 ALL,9
# Basic parameters
visible_hostname www.domain.com
auth_param basic realm domain Security Portal
error_directory  /usr/share/squid3/errors/English

# This line indicates the server we will be proxying for
#
http_port 192.168.253.20:80 defaultsite=www.domain.com vhost

https_port 192.168.253.20:443 accel cert=/etc/ssl/domain.crt key=/etc/ssl/domain.key defaultsite=www.domain.com vhost protocol=https
forwarded_for on

# And the IP Address for it - adjust the IP and port if necessary

cache_peer 172.25.2.3 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=aut
acl site_aut dstdomain aut.domain.com
cache_peer_access aut allow site_aut
acl https proto https

cache_peer 172.25.2.3 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=autlog
acl site_autlog dstdomain autlog.domain.com
cache_peer_access autlog allow site_autlog
acl https proto https

cache_peer 172.25.2.5 parent 7002 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=auti2
acl site_auti2 dstdomain auti2.domain.com
cache_peer_access auti2 allow site_auti2
acl https proto https

cache_peer 172.25.2.20 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testfinance
acl site_testfinance dstdomain testfinance.domain.com
cache_peer_access testfinance allow site_testfinance
acl https proto https

cache_peer 172.25.2.21 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testmat
acl site_testmat dstdomain testmat.domain.com
cache_peer_access testmat allow site_testmat
acl https proto https

cache_peer 172.25.2.21 parent 7002 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testmati2
acl site_testmati2 dstdomain testmati2.domain.com
cache_peer_access testmati2 allow site_testmati2
acl https proto https

cache_peer 172.25.2.27 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testaut
acl site_testaut dstdomain testaut.domain.com
cache_peer_access testaut allow site_testaut
acl https proto https

cache_peer 172.25.2.27 parent 7002 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testauti2
acl site_testauti2 dstdomain testauti2.domain.com
cache_peer_access testauti2 allow site_testauti2
acl https proto https

cache_peer 172.25.2.31 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=mat
acl site_mat dstdomain mat.domain.com
cache_peer_access mat allow site_mat
acl https proto https

cache_peer 172.25.2.32 parent 7002 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=mati2
acl site_mati2 dstdomain mati2.domain.com
cache_peer_access mati2 allow site_mati2
acl https proto https

# cache_peer 172.25.2.52 parent 81 0 no-query originserver name=fileserver
# acl site_fileserver dstdomain fileserver.domain.com
# cache_peer_access fileserver allow site_fileserver

cache_peer 172.25.2.55 parent 80 0 no-query originserver name=wiki
auth_param basic program /lib/squid3/squid_ldap_auth -R -b "dc=domain,dc=es" -D "cn=squid,cn=Users,dc=domain,dc=es" -w "trdcomun" -f sAMAccountName=%s -h 172.25.2.25
auth_param basic children 1
auth_param basic credentialsttl 5 minutes
acl site_wiki dstdomain wiki.domain.com
acl wiki_users proxy_auth REQUIRED

# cache_peer 172.25.2.63 parent 80 0 no-query originserver name=webautdev
# acl site_webautdev dstdomain webautdev.domain.com
# cache_peer_access webautdev allow site_webautdev

cache_peer 172.25.2.70 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=finance
acl site_finance dstdomain finance.domain.com
cache_peer_access finance allow site_finance
acl https proto https

cache_peer 172.25.2.71 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=tradinet
acl site_tradinet dstdomain tradinet.domain.com
cache_peer_access tradinet allow site_tradinet
acl https proto https

cache_peer 172.25.2.84 parent 19080 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=people
acl site_people dstdomain people.domain.com
cache_peer_access people allow site_people
acl https proto https

#cache_peer 172.25.2.199 parent 8080 0 no-query originserver name=acidbase
#acl site_acidbase dstdomain acidbase.domain.com
#cache_peer_access acidbase allow site_acidbase

acl apache rep_header Server ^Apache

# Where the cache files will be, memory and such
cache_dir ufs /var/spool/squid3 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 128 KB

# Log locations and format
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

access_log /var/log/squid3/access.log combined

cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
logfile_rotate 10

hosts_file /etc/hosts

# Basic ACLs
# acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443          # https
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl whitelist dstdomain aut.domain.com autlog.domain.com auti2.domain.com mat.domain.com mati2.domain.com testfinance.domain.com testmat.domain.com testmati2.domain.com testauti2.domain.com testaut.domain.com finance.domain.com tradinet.domain.com people.domain.com
acl http proto http
acl https proto https
acl port_80 port 80
acl port_443 port 443
acl wiki_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#
#http_reply_access allow all
#http_access deny site_people CONNECT !SSL_ports
#http_access allow manager localhost
#http_access deny manager
#http_access allow purge localhost
#http_access deny purge
#http_access deny !Safe_ports
#http_access allow localhost
# rules allowing non-authenticated users
http_access allow http port_80 whitelist
http_access allow CONNECT port_443 whitelist
# rules allowing authenticated users
http_access allow http port_80 REQUIRED
http_access allow CONNECT port_443 REQUIRED

# catch-all rule
http_access deny all
url_rewrite_program /etc/squid3/redirect-to-secure.pl
url_rewrite_access deny CONNECT SSL_ports

icp_access allow all

cache_effective_group proxy

coredump_dir /var/spool/squid3

emulate_httpd_log on

redirect_rewrites_host_header off

buffered_logs on

# Do not cache cgi-bin, ? urls, posts, etc.
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl POST method POST
no_cache deny QUERY
no_cache deny POST

Hope this helps you.

Kind regards,

Eric

4Paul4 · 11-17-2011, 09:29 PM

Thanks Eric,

I am still having trouble getting this to work. I even tried your config file but nmap still indicates no HTTP or HTTPS ports.

Here is my current config file I'm trying (I borrowed some lines from yours)

Code:

cache_mgr root
visible_hostname go.mydomain.com
auth_param basic realm domain Security Portal
error_directory  /var/log/squid/errors/English
http_port 10.0.0.24:80 defaultsite=go.mydomain.com vhost

https_port 10.0.0.24:443 accel cert=/etc/ssl/domain.crt key=/etc/ssl/domain.key defaultsite=www.mydomain.com vhost protocol=https

forwarded_for on

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

cache_peer 10.0.0.24 parent 80 0 no-query no-digest originserver name=apache login=PASS
acl sites_apache dstdomain go.mydomain.com
acl our_sites dstdomain go.mydomain.com
cache_peer_access apache allow sites_apache

cache_peer 10.0.0.14 parent 80 0 no-query no-digest originserver name=iis login=PASS
acl sites_iis dstdomain api.mydomain.com 
acl our_sites2 dstdomain api.mydomain.com 
cache_peer_access iis allow sites_iis

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow our_sites2
http_access allow our_sites

http_access allow manager all
http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

access_log /var/log/squid/access.log
icp_access allow all
cache_effective_group proxy
emulate_httpd_log on
buffered_logs on

EricTRA · 11-18-2011, 12:48 AM

Hi,

Is there anything indicating a problem in the log files? There's no iptables active right?

Kind regards,

Eric

4Paul4 · 11-20-2011, 10:09 PM

Hi,

I have not got HTTP (not https) working on Squid3, compiled myself.

No, for testing/setup purposes, I removed iptables completely from this machine.

Here is my current config file (I have it down to 25 lines now

):

Code:

visible_hostname go.mysite.com
http_port 80 accel defaultsite=www.mysite.com vhost
https_port 433 accel cert=/etc/ssl/domain.crt key=/etc/ssl/domain.key defaultsite=www.mysite.com vhost protocol=https
forwarded_for on

cache_peer 10.0.0.24 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=one
acl sites_one dstdomain go.mysite.com
cache_peer_access one allow sites_one
acl https proto https

cache_peer 10.0.0.14 parent 80 0 no-query originserver name=api
acl sites_api dstdomain api.mysite.com
cache_peer_access api allow sites_api
acl https proto https

acl melbourne src my.office.ip.address

http_access allow melbourne

Is there something further I need to do in order to even get it listening on port 433?

Code:

root@ip-10-0-0-34:/etc/squid3# nmap localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-21 04:08 UTC
Interesting ports on localhost (127.0.0.1):
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

As you can see, only http (port 80) is working with that config file.

SSL is definiately enabled else I'd be getting errors about HTTPS_PORT not being recognized.

Code:

root@ip-10-0-0-34:/etc/squid3# squid -v
Squid Cache: Version 3.0.STABLE26
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--enable-ssl' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,null' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,getpwnam,multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-snmp' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-epoll' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall -O2' 'FFLAGS=-g -O2' '-with-openssl=/usr/include/openssl/'

4Paul4 · 11-21-2011, 04:24 PM

Problem solved. I re-created the SSL certificates and it's all working now.

Thank you for the help Eric.

EricTRA · 11-22-2011, 12:37 AM

Hi Paul,

Glad to hear you've got it fixed. As someone said in a movie I cannot remember the title:

Quote:

Assumption is the mother of all f**k-ups!

I didn't even think for a moment about the validity of your certificates, I assumed they were good. Congratulations on fixing it.

Kind regards,

Eric

andrixnet · 01-31-2022, 05:51 AM

Quote:

Originally Posted by EricTRA

Hi Paul,

Glad to hear you've got it fixed. As someone said in a movie I cannot remember the title:

Quote:

Assumption is the mother of all f**k-ups!

Under Siege 2 - Dark Territory