Squid Reverse Proxy Over Ssl

Squid Reverse Proxy Over Ssl(from official mail list)

http://www.squid-cache.org/mail-archive/squid-users/200607/0016.html

I got success to set up a reverse proxy server over SSL.
The following is my experience:

1, compile squid with "- -enable-ssl" and optional "- -with-openssl=" if your ssl-devel not in /usr/include/openssl f.e. "—with-openssl=/usr/local/include"

./configure —enable-ssl —with-openssl=/usr/local/ssl/include

2. cd /usr/local/squid/etc
mkdir demoCA
cd demoCA
touch index.txt
echo "01" > serial
mkdir private
mkdir newcerts

generate CA certificate (self-signed)
/usr/local/ss/bin/openssl req -new -x509 -keyout
/usr/local/squid/etc/demoCA/private/cakey.pem -out
/usr/local/squid/etc/demoCA/cacert.pem -days 365 -subj
/CA=US/ST=xxxx/L=xxxxx/OU=xxxx/O=xxxx/CN=yourdomain/emailAddress=moc.sserdda|liameruoy#moc.sserdda|liameruoy

3. generate certificate
/usr/local/ssl/bin/openssl req -new -keyout key.pem -out req.pem -days 365
where req.pem - certificate request

4. Remove the password from the key.
cd /usr/local/squid/etc
cp key.pem key.pem.old
/usr/local/ssl/bin/openssl rsa -in key.pem.old -out key.pem

5.sign this certificate with your CA cert
/usr/local/ssl/bin/openssl ca -in /usr/local/squid/etc/req.pem -out
/usr/local/squid/etc/cert.pem

6.remove unneeded lines from cert.pem (usually you only need
lines beetwen
-BEGIN CERTIFICATE-
…………………….
………………….
-END CERTIFICATE-

7. add this in squid.conf

https_port [ip_address:]port cert=/where/cert.pem key=/where/key.pem

Here are the keys for the config of squid:

acl huanghuagang.org dstdomain huanghuagang.org
acl our_networks src 192.168.0.0/24

http_access allow huanghuagang.org
http_access allow our_networks

https_port 8888 accel vhost cert=/usr/local/squid/etc/cert.pem
key=/usr/local/squid/etc/key.pem
cafile=/usr/local/squid/etc/demoCA/cacert.pem defaultsite=xxx.fr

cache_peer huanghuagang.org parent 80 0 no-query originserver name=huanghuagang

cache_peer_access huanghuagang allow huanghuagang.org

If I need another site, I would assign 8889 to this site and repeat everything above. I do not know if there is a better way. But this way is easy to understand.