Difference between revisions of "Cool Solution - Squid as Reverse SSL Proxy"

From Univention Wiki

Jump to: navigation, search
m (Added use case)
Line 1: Line 1:
{{Version|UCS=3.0}}
+
{{Version|UCS=3.2}}{{Review-Status}}
This article describes how to configure squid to serve your HTTPS aware applications as a reverse proxy with SSL support. This allows to proxy your secured application without exposing your Webserver to the outside or to loadbalance between multiple SSL Servers.
+
This article describes how to configure Squid3 as a reverse proxy with HTTPS and SSL support. This allows to proxy your secured application without exposing your Webserver to the outside or to loadbalance bewtween multiple SSL Servers.
  
 
== Requirements ==
 
== Requirements ==
  
The following configuration only works with squid from UCS 3.0-1 or later. To install it issue the following command:
+
To install Squid3 for UCS 3.2, execute the following command:
<pre>
 
univention-install univention-squid
 
</pre>
 
  
In addition you need the private key and the public certificate from the server you are trying to tunnel to. For the purpose of this guide they will refer to the certificate as ''foreign_cert.pem'' and to the key as ''foreign_key.key''.
+
univention-install univention-squid
  
== Configuration ==
 
First Apache needs to be deactivated to free the HTTPS port for squid. You also need to disable it permanently using UCR variables
 
<pre>
 
ucr set apache2/autostart="no"
 
/etc/init.d/apache2 stop
 
</pre>
 
  
Afterwards you need to edit the template ''/etc/univention/templates/files/etc/squid3/squid.conf'' where you need to add the following lines
+
In addition you need the private key and the public certificate from the server you want to tunnel to. In the following we refer to the certificate as ''cert.pem'',to the key as ''private.key'' and to the server you want to tunnel to as ''DSTHOST''.
  
<pre>
+
''Note:'' Everything within a less-than sign (<) and a greater-than sign (>) must be replaced with your own values.
https_port 443 cert=/path/to/foreign_cert.pem
 
key=/path/to/foreign_key.key defaultsite=<FQDN of the forein host> vhost
 
cache_peer <IP of the forein host> parent 443 7 no-query proxy-only
 
originserver ssl sslflags=DONT_VERIFY_PEER name=myproxy
 
  
acl MASTER dstdomain <FQDN of the forein host>
+
''Note:'' Everything that is written ''cursive'' in the code boxes is a variable value and may be changed to own use.
http_access allow MASTER
 
cache_peer_access myproxy allow MASTER
 
cache_peer_access myproxy deny all
 
</pre>
 
  
After committing the template and restarting with
+
== Pre-Configuration ==
<pre>
+
At first, the Apache Server must be stopped and disabled within its UCR variable. This is necessary to free the HTTPS port for Squid3
ucr commit /etc/squid3/squid.conf
+
 
/etc/init.d/squid3 restart
+
service apache2 stop
</pre>
+
ucr set apache2/autostart="no"
you should be able to reverse proxy to your SSL application.
+
 
 +
 
 +
== Configure Squid ==
 +
Afterwards the template file ''/etc/univention/templates/files/etc/squid3/squid.conf'' must be edited.
 +
 
 +
To configure your reverse SSL proxy, add the  lines below ''# reverse proxy'' to your configuration. A good placement for it is at the top of your configuration file (e.g. below ''# debug options).
 +
 
 +
# debug options
 +
...
 +
 +
# reverse proxy
 +
https_port 443 cert=/path/to/cert.pem key=/path/to/private.key  defaultsite=<FQDN of DSTHOST> vhost
 +
cache_peer <IP of DSTHOST> parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=''myHost''
 +
 
 +
Remember the name you've given here, we need it later to configure the ACLs
 +
 
 +
=== Configure ACLs ===
 +
After the reverse proxy is configured, the next step is to configure ACLs to define who is able to access your site and who is not. At first, we define an ACL for a network. A few ACLs are already defined in your configuration. To keep the configuration file human readable, we stick to the schema and add our changes into the correct sections.
 +
 
 +
To grand access to a whole network, add the following line to your config
 +
 
 +
#########
 +
# acl's #
 +
#########
 +
...
 +
 +
acl ''myNetwork'' src <Network adress>/<Netmask>
 +
 
 +
Afterwards, the rules for our new created ACL have to be defined
 +
 
 +
#########
 +
# rules #
 +
#########
 +
...
 +
 +
http_access allow ''myNetwork''
 +
 +
cache_peer_access ''myHost'' allow ''myNetwork''
 +
 
 +
Since Squid3 is a mighty product, we can't cover all cases you may want to define here. Please refer to the offical documentation in the ''Further Information'' section.
 +
 
 +
 
 +
After your changes have been saved, your Squid3 configuration file needs to be commited and the Squid3 needs to be restarted.
 +
 
 +
ucr commit /etc/squid3/squid.conf
 +
serice squid3 restart
 +
 
 +
Afterwards your revers Proxy should be working.
 +
 
 +
== Further Information ==
 +
http://www.squid-cache.org/Doc/config/
  
 
[[Category:EN]]
 
[[Category:EN]]

Revision as of 11:45, 11 August 2014

Produktlogo UCS Version 3.2
Note: This article is not yet reviewed.

This article describes how to configure Squid3 as a reverse proxy with HTTPS and SSL support. This allows to proxy your secured application without exposing your Webserver to the outside or to loadbalance bewtween multiple SSL Servers.

Requirements

To install Squid3 for UCS 3.2, execute the following command:

univention-install univention-squid


In addition you need the private key and the public certificate from the server you want to tunnel to. In the following we refer to the certificate as cert.pem,to the key as private.key and to the server you want to tunnel to as DSTHOST.

Note: Everything within a less-than sign (<) and a greater-than sign (>) must be replaced with your own values.

Note: Everything that is written cursive in the code boxes is a variable value and may be changed to own use.

Pre-Configuration

At first, the Apache Server must be stopped and disabled within its UCR variable. This is necessary to free the HTTPS port for Squid3

service apache2 stop
ucr set apache2/autostart="no"


Configure Squid

Afterwards the template file /etc/univention/templates/files/etc/squid3/squid.conf must be edited.

To configure your reverse SSL proxy, add the lines below # reverse proxy to your configuration. A good placement for it is at the top of your configuration file (e.g. below # debug options).

# debug options
...

# reverse proxy
https_port 443 cert=/path/to/cert.pem key=/path/to/private.key  defaultsite=<FQDN of DSTHOST> vhost
cache_peer <IP of DSTHOST> parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=myHost

Remember the name you've given here, we need it later to configure the ACLs

Configure ACLs

After the reverse proxy is configured, the next step is to configure ACLs to define who is able to access your site and who is not. At first, we define an ACL for a network. A few ACLs are already defined in your configuration. To keep the configuration file human readable, we stick to the schema and add our changes into the correct sections.

To grand access to a whole network, add the following line to your config

#########
# acl's #
#########
...

acl myNetwork src <Network adress>/<Netmask>

Afterwards, the rules for our new created ACL have to be defined

#########
# rules #
#########
...

http_access allow myNetwork

cache_peer_access myHost allow myNetwork

Since Squid3 is a mighty product, we can't cover all cases you may want to define here. Please refer to the offical documentation in the Further Information section.


After your changes have been saved, your Squid3 configuration file needs to be commited and the Squid3 needs to be restarted.

ucr commit /etc/squid3/squid.conf
serice squid3 restart

Afterwards your revers Proxy should be working.

Further Information

http://www.squid-cache.org/Doc/config/

Personal tools