Squid – SSL Certificate

We are working on a functionality in order to import contacts from :
– yahoo
– twitter
– gmail
– Facebook
– … …

Our service PAB (Personal Address Book) is distributed among 6 solaris backend (each one with 2 instances of PAB service). In order to import contacts the backend server (where is placed PAB) needs to talk directly with Internet. For different reasons we added (in order to avoid backend which talks directly with internet) a reverse proxy (Squid).

Here my notes about :
#1 Generate Certificate (autosigned)
#2 Configuration of Squid
 Warning : what is here reported is just my work note without any double check.

Squid connecrion flow
Squid connection flow

#1 Generate Certificate (auto signed)

Flow : [ BackEnd PAB Server ] —[1]—>[ Squid ]–[2]–>(internet)
 in this flow the “BackEnd PAB Server” acts as a client and it opens a connection to Squid server.

Communication [1]requires SSL (in above picture is SSL1) so we need to generate certificate  to use and install on Squid. Steps in order to auto-sign a certificate :

 Generate private key
 openssl genrsa -des3 -out squid-server.key 1024
 Generate CSR ( Certificate Signing Request ) using private key
 openssl req -new -key squid-server.key -out squid-server.csr
 openssl rsa -in squid-server.key -out squid-proxy.key 
 Self-sign with private key CSR and generate Certificate
 openssl x509 -req -days 365 -in squid-server.csr -signkey squid-proxy.key -out squid-proxy.crt

As we’ll see later : squid-proxy.crt and squid-proxy.key will be used in order to configure Squid.

 Note:  365 is time validity of certificate (you can increase it generally not more of 3 years)
 Note: in order to check certificate validity / expiration date

openssl x509 -in squid-proxy.crt -noout -enddate
notAfter=Jul 14 13:48:44 2012 GMT

 Note: If we have problem in [1] (for example your server doesn’t accept certificate and it hangs during the SSL negotiation) then the Squid log shows below error message :

clientNegotiateSSL: Error negotiating SSL connection on FD 20: error:1407609B …

Mainly you need that the client (in our case the PAB server), which opens connection to Squid, recognises as valid the certificate that you generated (self-signed) above. Since certificate is self-signed (and we are not a trusted CA) we need to add on client-side  (in our case the PAB server) the certificate squid-proxy.crt as trusted. How to do that depend on how the server works : in our case PAB has a directory where copy trusted certificate squid-proxy.crtSo I don’t report how to add as trusted the certificate squid-proxy.crt.

#2 Configure certificate for Squid

+ 2.1 Certificate (auto-signed) for flow SSL1

Flow : [ BackEnd PAB Server ] —[1]—>[ Squid ]–[2]–>(internet)

Squid connection flow - SSL1
Squid connection flow – SSL1

[SSL1] is the communication between  Backend Server <-> FrontEnd Squid.  SSL is terminated directly on Squid. Configure: /etc/squid/squid.conf

http_port 80
https_port 443 cert=/usr/local/squid/ssl/squid-proxy.crt key=/usr/local/squid/ssl/squid-proxy.key

Probably you need to create: /usr/local/squid/ssl/
squid-proxy.key and squid-proxy.crt are files generated in #1
443 is https (SSL) port used in [SSL 1]

+2.2 Certificate for flow SSL2

Flow : [ BackEnd PAB Server ] —[1]—>[ Squid ]–[2]–>(internet)

Squid connection flow - SSL2
Squid connection flow – SSL2

[SSL2] is the communication between  FrontEnd Squid <-> Internet (severs Facebook, Gmail, Yahoo!… that provide API), If you have “different” certificates to use in [SSL 2] configure: /etc/squid/squid.conf

sslproxy_capath /usr/local/squid/sslclient/tls/CACertificates/
sslproxy_flags NO_DEFAULT_CA

Where path /usr/local/squid/sslclient/tls/CACertificates/ is where you have stored trusted CA (certificates to consider valid). Alternatively if  you need to ignore certificates in [SSL2] (trust unconditionally all certificates) :

sslproxy_flags DONT_VERIFY_PEER #(isn't recommended this setting : it is too permissive) 

+ 2.3 common config

Debug level is :

debug_options ALL,1 33,2 #(isn't recommended this setting for production environment)

Access Control List :

http_access allow localhost
#http_access deny all
http_access allow all #(isn't recommended this setting : it is too permissive)

if you have problem with ACL this is line is present in Squid log :

TCP_DENIED/403 1352 GET XXXXXXXXX - NONE/- text/html
User Review
3 (2 votes)