Difference between revisions of "Cool Solution - Squid as Reverse SSL Proxy"

From Univention Wiki

Jump to: navigation, search
(Reverted revert. Updated to 4.3)
 
(18 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Cool Solutions Disclaimer|Repository=no}}{{Version|UCS=4.0}} This article describes how to configure Squid3 as a reverse proxy with HTTPS and SSL support. This allows to proxy your secured application without exposing your Webserver to the outside or to loadbalance between multiple SSL Servers.  
+
{{Version|UCS=4.3}}
 +
{{Cool Solutions Disclaimer|Repository=no}}
 +
{{#seo:
 +
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
 +
<!--|description=-->
 +
}}
 +
 
 +
This article describes how to configure Squid3 as a reverse proxy with HTTPS and SSL support. This allows to proxy your secured application without exposing your Webserver to the outside or to loadbalance between multiple SSL Servers.  
  
 
== Requirements  ==
 
== Requirements  ==
  
To install Squid3 for UCS 4.0, execute the following command:  
+
To install Squid3 for UCS 4, execute the following command:  
  
  univention-install univention-squid
+
  univention-app install squid
  
In addition you need the private key and the public certificate from the server you want to tunnel to. In the following we refer to the certificate as ''cert.pem'',to the key as ''private.key'' and to the server you want to tunnel to as ''DSTHOST''.  
+
In addition you need the private key and the public certificate from the squid server (/etc/univention/ssl/...). In the following, we refer to the certificate as ''cert.pem'', to the key as ''private.key'' and to the server you want to tunnel to as ''DSTHOST''.  
  
''Note:'' Everything within a less-than sign (&lt;) and a greater-than sign (&gt;) must be replaced with your own values.  
+
''Note:'' Everything within a less-than sign (&lt;) and a greater-than sign (&gt;) must be replaced with your own values. Less-than sign (&lt;) and greater-than sign (&gt;) must be replaced as well.
  
''Note:'' Everything that is written ''cursive'' in the code boxes is a variable value and may be changed to own use.  
+
''Note:'' Everything that is written ''cursive'' in the code boxes is a variable value and may be changed to own use.
  
 
== Pre-Configuration  ==
 
== Pre-Configuration  ==
Line 24: Line 31:
 
== Configure Squid  ==
 
== Configure Squid  ==
  
Afterwards the template file ''/etc/univention/templates/files/etc/squid3/squid.conf'' must be edited.  
+
Afterwards, the local configuration file ''/etc/squid/local_bottom.conf'' must be edited.  
  
You should backup the original template file before making any changes:  
+
If there is already a configuration in this file, you should make a backup of that:
  
  cp /etc/univention/templates/files/etc/squid3/squid.conf /etc/univention/templates/files/etc/squid3/squid.conf.backup
+
  cp /etc/squid/local_bottom.conf /etc/squid/local_bottom.conf.backup
  
To configure your reverse SSL proxy, add the lines below ''# reverse proxy'' to your configuration. A good placement for this is at the top of your configuration file (e.g. below ''# debug options).''
+
To configure your reverse SSL proxy, add the following lines to your configuration.
  
  ...
+
  #reverse SSL proxy
+
  https_port 443 cert=/path/to/cert.pem key=/path/to/private.key accel defaultsite=&lt;FQDN of DSTHOST&gt; vhost
print "#reverse SSL proxy"
+
  cache_peer &lt;IP of DSTHOST&gt; parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=''myHost''
  print "https_port 443 cert=/path/to/cert.pem key=/path/to/private.key defaultsite=&lt;FQDN of DSTHOST&gt; vhost"
 
  print "cache_peer &lt;IP of DSTHOST&gt; parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=''myHost''"
 
 
print "#########"
 
print "# acl's #"
 
print "#########"
 
  
Remember the name you've given here, we need it later to configure the ACLs
+
The given name is needed below again, if custom ACLs are to be created (optional)
  
 
=== Configure ACLs  ===
 
=== Configure ACLs  ===
  
After the reverse proxy is configured, the next step is to configure ACLs to define who is able to access your site and who is not. At first, we define an ACL for a network. A few ACLs are already defined in your configuration. To keep the configuration file human readable, we stick to the schema and add our changes into the correct sections.  
+
After the reverse proxy is configured, the next step is to configure ACLs to define who is able to access your site and who is not. At first, we define an ACL for a network. This is possible with UCR or via manually editing the config file. The latter is only needed when the network MUST have a certain name.
 +
 
 +
To grant access to a whole network, you can use the UCR variable squid/allowfrom. Multiple networks can be separated with spaces.
 +
 
 +
ucr set squid/allowfrom='<NETWORK>/<CIDR NETWORK MASK>'
 +
 
 +
So, if we'd want to allow IPs from the network 192.168.0.0/24, the command would look as follows:
 +
 +
ucr set squid/allowfrom='192.168.0.0/24'
 +
 
 +
The network will be named dynamically, starting with 'localnet1'.
 +
 
 +
'''Note:''' The rules for ''cache_peer_access'' and the rules for your reverse SSL proxy (''https_port'', ''cache_peer'') have to be made directly in the local config.
  
To grant access to a whole network, add the following line to your config
+
Alternatively, for example if you need to give the network a certain name, you can apply this configuration manually in your local_bottom.conf with these lines (this is completely optional):
  
 
  ...
 
  ...
 
   
 
   
  print "acl ''myNetwork'' src &lt;Network adress&gt;/&lt;Netmask&gt;"
+
  acl ''myNetwork'' src <NETWORK>/<CIDR NETWORK MASK>
 
   
 
   
  print "#########"
+
  #########
  print "# rules #"
+
  # rules #
  print "#########"
+
  #########
 
  ...  
 
  ...  
  
Afterwards, the rules for our newly created ACL have to be defined  
+
Additionally, the rules for our newly created ACL would have to be defined  
  
 
  ...
 
  ...
 
   
 
   
  print "http_access allow ''myNetwork''"
+
  http_access allow ''myNetwork''
  print "cache_peer_access ''myHost'' allow ''myNetwork''"
+
  cache_peer_access ''myHost'' allow ''myNetwork''
 
   
 
   
  print "# deny the rest"
+
  # deny the rest
  print "http_access deny all"
+
  http_access deny all
  print "http_reply_access allow all"
+
  http_reply_access allow all
  print "icp_access allow all"
+
  icp_access allow all
 
  ...
 
  ...
  
'''Note:''' You can also set the rules for ''acl'' and ''http_access_allow'' via the ucr variable '''squid/allowfrom'''. If you do so, your network will be named dynamically, e.g. ''localnet1''. For more than one network, you can simply write them all to '''squid/allowfrom''', seperated with spaces. However, the rules for ''chache_peer_access'' and the rules for your reverse SSL proxy (''https_port'', ''cache_peer'') have to be made directly in the config template.  
+
Since Squid3 is a mighty product, we can't cover all cases you may want to define here. Please refer to the official documentation linked in the ''Further Information'' section.  
  
Since Squid3 is a mighty product, we can't cover all cases you may want to define here. Please refer to the offical documentation in the ''Further Information'' section.
+
After your changes have been saved, squid3 needs to be restarted:
  
After your changes have been saved, your Squid3 configuration file needs to be commited and squid3 needs to be restarted:
+
service squid restart
  
ucr commit /etc/squid3/squid.conf
+
Afterwards your reverse proxy should be working.
service squid3 restart
 
 
 
Afterwards your reverse proxy should be working.  
 
  
 
== Further Information  ==
 
== Further Information  ==
  
 
http://www.squid-cache.org/Doc/config/  
 
http://www.squid-cache.org/Doc/config/  
 +
 +
== Archive ==
 +
* There is a version of this article for [https://wiki.univention.de/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy&oldid=13920 UCS 4.2].
 +
* There is a version of this article for [https://wiki.univention.de/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy&oldid=13920 UCS 4.1].
  
 
[[Category:EN]]
 
[[Category:EN]]

Latest revision as of 14:58, 14 November 2018

Produktlogo UCS Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

This article describes how to configure Squid3 as a reverse proxy with HTTPS and SSL support. This allows to proxy your secured application without exposing your Webserver to the outside or to loadbalance between multiple SSL Servers.

Requirements

To install Squid3 for UCS 4, execute the following command:

univention-app install squid

In addition you need the private key and the public certificate from the squid server (/etc/univention/ssl/...). In the following, we refer to the certificate as cert.pem, to the key as private.key and to the server you want to tunnel to as DSTHOST.

Note: Everything within a less-than sign (<) and a greater-than sign (>) must be replaced with your own values. Less-than sign (<) and greater-than sign (>) must be replaced as well.

Note: Everything that is written cursive in the code boxes is a variable value and may be changed to own use.

Pre-Configuration

At first, the Apache Server must be stopped and disabled within its UCR variable. This is necessary to free the HTTPS port for Squid3

service apache2 stop
ucr set apache2/autostart="no"


Configure Squid

Afterwards, the local configuration file /etc/squid/local_bottom.conf must be edited.

If there is already a configuration in this file, you should make a backup of that:

cp /etc/squid/local_bottom.conf /etc/squid/local_bottom.conf.backup

To configure your reverse SSL proxy, add the following lines to your configuration.

#reverse SSL proxy
https_port 443 cert=/path/to/cert.pem key=/path/to/private.key accel defaultsite=<FQDN of DSTHOST> vhost
cache_peer <IP of DSTHOST> parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=myHost

The given name is needed below again, if custom ACLs are to be created (optional)

Configure ACLs

After the reverse proxy is configured, the next step is to configure ACLs to define who is able to access your site and who is not. At first, we define an ACL for a network. This is possible with UCR or via manually editing the config file. The latter is only needed when the network MUST have a certain name.

To grant access to a whole network, you can use the UCR variable squid/allowfrom. Multiple networks can be separated with spaces.

ucr set squid/allowfrom='<NETWORK>/<CIDR NETWORK MASK>'

So, if we'd want to allow IPs from the network 192.168.0.0/24, the command would look as follows:

ucr set squid/allowfrom='192.168.0.0/24'

The network will be named dynamically, starting with 'localnet1'.

Note: The rules for cache_peer_access and the rules for your reverse SSL proxy (https_port, cache_peer) have to be made directly in the local config.

Alternatively, for example if you need to give the network a certain name, you can apply this configuration manually in your local_bottom.conf with these lines (this is completely optional):

...

acl myNetwork src <NETWORK>/<CIDR NETWORK MASK>

#########
# rules #
#########
... 

Additionally, the rules for our newly created ACL would have to be defined

...

http_access allow myNetwork
cache_peer_access myHost allow myNetwork

# deny the rest
http_access deny all
http_reply_access allow all
icp_access allow all
...

Since Squid3 is a mighty product, we can't cover all cases you may want to define here. Please refer to the official documentation linked in the Further Information section.

After your changes have been saved, squid3 needs to be restarted:

service squid restart

Afterwards your reverse proxy should be working.

Further Information

http://www.squid-cache.org/Doc/config/

Archive

  • There is a version of this article for UCS 4.2.
  • There is a version of this article for UCS 4.1.
Personal tools