
1.Installing the squid proxy in the server
# yum install squid
2.All the configuration should are done at squid.conf file which is located at /etc/squid/squid.conf
Changes :
At acl Declaration :
This acls are declared to separate the http and https query.
acl port443 port 443
acl port80 port 80
Port 3128 is used for proxy so it is not used in our case so it is disabled
# Squid normally listens to port 3128
#http_port 3128
#Squid changed to default port to 80 for http Reverse Proxy
http_port 80 accel vhost
#Squid reverse proxy port for https Reverse Proxy
https_port 443 cert=/etc/squid/ssl/1.crt key=/etc/squid/ssl/1.key vhost
We have to provide certificate path and key path when using SSL port at this directive.
##For HTTPÂ Reverse Proxy ##
# Directive to tell Squid the IP address 192.168.1.23 and other are of server1
cache_peer 192.168.1.23Â parent 80 0 no-query no-digest originserver login=PASS name=server1
#for other Servers
#cache_peer X.X.X.X parent 80 0 no-query no-digest originserver login=PASS name=server2
#cache_peer X.X.X.X parent 80 0 no-query no-digest originserver login=PASS name=server3
To specify other caches in a hierarchy, we use the format:
cache_peer hostname or IP type http-port icp-port [options]
Parent : type of cache
originserver : Â Causes this parent to be contacted as an origin server.Meant to be used in accelerator setups when the peer is a web server.
no-query : Â Disable ICP queries to this neighbor.
no-digest:Â Disable request of cache digests
originserver:Â Causes this parent to be contacted as an origin server.Meant to be used in accelerator setups when the peer is a web server.
acl sites_server1 dstdomain www.YOURDOMAIN.com YOURDOMAIN.com
#acl sites_server2 dstdomain server2.domain.com
#acl sites_server3 dstdomain server3.domain.com
#Cache Peer Directive to map corresponding sites
cache_peer_access server1 allow sites_server1 port80
#cache_peer_access server2 allow sites_server2Â port80
#cache_peer_access server3 allow sites_server3Â port80
#Allow Access to the sites
http_access allow sites_server1
#http_access allow sites_server2
#http_access allow sites_server3
##For HTTPS Reverse Proxy ##
# Directive to tell Squid the IP address of the servers 209.251.48.72 and other are private ip address hosted inside the network
cache_peer 192.168.1.23Â parent 443 0 no-query no-digest originserver ssl sslflags=DONT_VERIFY_PEERÂ login=PASS name=sslserver1
#for other Servers
#cache_peer X.X.X.X parent 80 0 no-query no-digest originserver ssl sslflags=DONT_VERIFY_PEERÂ login=PASS name=sslserver2
#cache_peer X.X.X.X parent 80 0 no-query no-digest originserver ssl sslflags=DONT_VERIFY_PEERÂ login=PASS name=sslserver3
acl sites_ssl_server1 dstdomain www.YOURDOMAIN.com
#acl sites_ssl_server2 dstdomain server2.domain.com
#acl sites_ssl_server3 dstdomain server3.domain.com
#Cache Peer Directive to map corresponding sites
cache_peer_access sslserver1 allow sites_ssl_server1 port443
#cache_peer_access sslserver2 allow sites_ssl_server2Â port443
#cache_peer_access sslserver3 allow sites_ssl_server3 Â port 443
#Allow Access to the sites
http_access allow sites_ssl_server1
#http_access allow sites_ssl_server2
#http_access allow sites_ssl_server3
##This last line is compulsion to avoid proxy to be used for other site browsing
http_access deny all
Command to reload squid :
# /etc/init.d/squid reload
or simply
# squid reload
3. Generating SSL Signing request
Generate a ‘key’ file that tells our server apart from other servers. If we dont have openssl already installed on our machine, we can install it using
yum install openssl
Then changed to the directory to the place we would like to store certificates . In our case, I chose:
mkdir /etc/squid/ssl
cd ssl
openssl genrsa -out 1.key 2048
This will spit out a key for our server to create the CSR which is what we need to send to send to SSL authority in order to get the required files to finish the setup. Next we generate a CSR (so in the same directory):
openssl req -new -key 1.key -out 1.csr
we have to send the contents of this CSR to SSL authority received the signed certificate as crt but in our case we have already a key and certificate so it was added to ssl folder and renamed accordingly.
The received crt was renamed to 1.crt and added to /etc/squid/ssl/
4. Appending ca certificate to main certificate file (1Â .crt)
Following command was executed:
ssl.ca was ca certificate received from signing authority
cat ssl.ca >> 1.crt
A self signed certificate can be generated for testing purpose as :
openssl x509 -req -days 3650 -in 1.csr -signkey 1.key -out selfsign.crt