We are working on a functionality in order to import contacts from :
- yahoo
- twitter
- gmail
- Facebook
- … …
Our service PAB (Personal Address Book) is distributed among 6 solaris backend (each one with 2 instances of PAB service). In order to import contacts the backend server (where is placed PAB) needs to talk directly with Internet. For different reasons we added (in order to avoid backend which talks directly with internet) a reverse proxy (Squid).
Here my notes about :
#1 Generate Certificate (autosigned)
#2 Configuration of Squid
Warning : what is here reported is just my work note without any double check.
#1 Generate Certificate (auto signed)
Flow : [ BackEnd PAB Server ] ---[1]--->[ Squid ]--[2]-->(internet)
in this flow the "BackEnd PAB Server" acts as a client and it opens a connection to Squid server.
Communication [1]requires SSL (in above picture is SSL1) so we need to generate certificate to use and install on Squid. Steps in order to auto-sign a certificate :
Generate private key
openssl genrsa -des3 -out squid-server.key 1024
Generate CSR ( Certificate Signing Request ) using private key
openssl req -new -key squid-server.key -out squid-server.csr
openssl rsa -in squid-server.key -out squid-proxy.key
Self-sign with private key CSR and generate Certificate
openssl x509 -req -days 365 -in squid-server.csr -signkey squid-proxy.key -out squid-proxy.crt
As we'll see later : squid-proxy.crt and squid-proxy.key will be used in order to configure Squid.
Note: 365 is time validity of certificate (you can increase it generally not more of 3 years)
Note: in order to check certificate validity / expiration date
openssl x509 -in squid-proxy.crt -noout -enddate
notAfter=Jul 14 13:48:44 2012 GMTNote: If we have problem in [1] (for example your server doesn't accept certificate and it hangs during the SSL negotiation) then the Squid log shows below error message :
clientNegotiateSSL: Error negotiating SSL connection on FD 20: error:1407609B …
Mainly you need that the client (in our case the PAB server), which opens connection to Squid, recognises as valid the certificate that you generated (self-signed) above. Since certificate is self-signed (and we are not a trusted CA) we need to add on client-side (in our case the PAB server) the certificate squid-proxy.crt as trusted. How to do that depend on how the server works : in our case PAB has a directory where copy trusted certificate squid-proxy.crt. So I don't report how to add as trusted the certificate squid-proxy.crt.
#2 Configure certificate for Squid
+ 2.1 Certificate (auto-signed) for flow SSL1
Flow : [ BackEnd PAB Server ] ---[1]--->[ Squid ]--[2]-->(internet)
[SSL1] is the communication between Backend Server <-> FrontEnd Squid. SSL is terminated directly on Squid. Configure: /etc/squid/squid.conf
http_port 80 https_port 443 cert=/usr/local/squid/ssl/squid-proxy.crt key=/usr/local/squid/ssl/squid-proxy.key
Probably you need to create: /usr/local/squid/ssl/
squid-proxy.key and squid-proxy.crt are files generated in #1
443 is https (SSL) port used in [SSL 1]
+2.2 Certificate for flow SSL2
Flow : [ BackEnd PAB Server ] ---[1]--->[ Squid ]--[2]-->(internet)
[SSL2] is the communication between FrontEnd Squid <-> Internet (severs Facebook, Gmail, Yahoo!... that provide API), If you have "different" certificates to use in [SSL 2] configure: /etc/squid/squid.conf
sslproxy_capath /usr/local/squid/sslclient/tls/CACertificates/ sslproxy_flags NO_DEFAULT_CA
Where path /usr/local/squid/sslclient/tls/CACertificates/ is where you have stored trusted CA (certificates to consider valid). Alternatively if you need to ignore certificates in [SSL2] (trust unconditionally all certificates) :
sslproxy_flags DONT_VERIFY_PEER #(isn't recommended this setting : it is too permissive)
+ 2.3 common config
Bebug
Debug level is :
debug_options ALL,1 33,2 #(isn't recommended this setting for production environment)
ACL
Access Control List :
http_access allow localhost #http_access deny all http_access allow all #(isn't recommended this setting : it is too permissive)
if you have problem with ACL this is line is present in Squid log :
TCP_DENIED/403 1352 GET XXXXXXXXX - NONE/- text/html
[...] [1]. http://busylog.net/squid-ssl-certificate/ [...]