Difference between revisions of "Cool Solution - Squid as Reverse SSL Proxy"

From Univention Wiki

Jump to: navigation, search
(moved to help-u)
Tag: Replaced
(19 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Cool Solutions Disclaimer|Repository=no}}{{Version|UCS=4.0}} This article describes how to configure Squid3 as a reverse proxy with HTTPS and SSL support. This allows to proxy your secured application without exposing your Webserver to the outside or to loadbalance between multiple SSL Servers.  
This page has been moved to the Knowledge Base Cool Solutions in the Forum.
== Requirements  ==
[https://help.univention.com/t/cool-solution-squid-as-reverse-ssl-proxy/14714 Cool Solution - Squid as Reverse SSL Proxy]
To install Squid3 for UCS 4.0, execute the following command:
univention-install univention-squid
In addition you need the private key and the public certificate from the server you want to tunnel to. In the following we refer to the certificate as ''cert.pem'',to the key as ''private.key'' and to the server you want to tunnel to as ''DSTHOST''.
''Note:'' Everything within a less-than sign (<) and a greater-than sign (>) must be replaced with your own values.
''Note:'' Everything that is written ''cursive'' in the code boxes is a variable value and may be changed to own use.
== Pre-Configuration  ==
At first, the Apache Server must be stopped and disabled within its UCR variable. This is necessary to free the HTTPS port for Squid3
service apache2 stop
ucr set apache2/autostart="no"
== Configure Squid  ==
Afterwards the template file ''/etc/univention/templates/files/etc/squid3/squid.conf'' must be edited.  
You should backup the original template file before making any changes:
cp /etc/univention/templates/files/etc/squid3/squid.conf /etc/univention/templates/files/etc/squid3/squid.conf.backup
To configure your reverse SSL proxy, add the lines below ''# reverse proxy'' to your configuration. A good placement for this is at the top of your configuration file (e.g. below ''# debug options).''
print "#reverse SSL proxy"
print "https_port 443 cert=/path/to/cert.pem key=/path/to/private.key  defaultsite=&lt;FQDN of DSTHOST&gt; vhost"
print "cache_peer &lt;IP of DSTHOST&gt; parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=''myHost''"
print "#########"
print "# acl's #"
print "#########"
Remember the name you've given here, we need it later to configure the ACLs
=== Configure ACLs  ===
After the reverse proxy is configured, the next step is to configure ACLs to define who is able to access your site and who is not. At first, we define an ACL for a network. A few ACLs are already defined in your configuration. To keep the configuration file human readable, we stick to the schema and add our changes into the correct sections.
To grant access to a whole network, add the following line to your config
print "acl ''myNetwork'' src &lt;Network adress&gt;/&lt;Netmask&gt;"
print "#########"
print "# rules #"
print "#########"
Afterwards, the rules for our newly created ACL have to be defined
print "http_access allow ''myNetwork''"
print "cache_peer_access ''myHost'' allow ''myNetwork''"
print "# deny the rest"
print "http_access deny all"
print "http_reply_access allow all"
print "icp_access allow all"
'''Note:''' You can also set the rules for ''acl'' and ''http_access_allow'' via the ucr variable '''squid/allowfrom'''. If you do so, your network will be named dynamically, e.g. ''localnet1''. For more than one network, you can simply write them all to '''squid/allowfrom''', seperated with spaces. However, the rules for ''chache_peer_access'' and the rules for your reverse SSL proxy (''https_port'', ''cache_peer'') have to be made directly in the config template.
Since Squid3 is a mighty product, we can't cover all cases you may want to define here. Please refer to the offical documentation in the ''Further Information'' section.
After your changes have been saved, your Squid3 configuration file needs to be commited and squid3 needs to be restarted:
ucr commit /etc/squid3/squid.conf
service squid3 restart
Afterwards your reverse proxy should be working.
== Further Information  ==

Latest revision as of 09:48, 9 July 2020

This page has been moved to the Knowledge Base Cool Solutions in the Forum.

Cool Solution - Squid as Reverse SSL Proxy

Personal tools