SET SQUID AS REVERSE PROXY WITH AN SSL CERTIFICATE
FROM A PUBLIC CA
Squid 2.5 and later can support TLS or SSL connections if built with --enable-ssl.
Configuration
1. Store in a specific folder:
- your SSL certificate (server.crt)
- your private key (Server.key)
- your intermediate certificate (Cacert.cert)
2. Configure the proxy:
To redirect to an HTTPS website:
https_port 443 accel cert=/etc/squid/certificates/server.crt key=/etc/squid/certificates/server.key cafile=/etc/squid/certificates/cacert.crt defaultsite=yourwebserver vhost
This tells Squid to listen on port 443 for HTTPS connexions. Replace if necessary the path to your own certificates folder from Step 1.
To redirect to an internal HTTPS Exchange server:
cache_peer internal_ip parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS connection-auth=off name=yourwebapp
To redirect to an internal HTTP website:
cache_peer internal_ip parent 80 0 no-query originserver login=PASS name=yourwebserver
Note: You can add options and ciphers to make sure you use a strong encryption. Add the following code to your command line:
options=NO_SSLv2,SINGLE_DH_USE cipher=HIGH
You can then configure specific access lists and ACLs (see here for a list of all available access lists and ACLs)