Squid HTTPS Reverse Proxy


#1

there are different machines running different websites in an internal network.
squid shall work as CDN proxy which shall make use of letsencrypt certificates in order to encrypt the client-proxy-connection.
1 would it be possible to disguise the proxy so that the client doesnt know about the proxying? i.e. the client only talks to the proxy and doesnt know about the actual delivering server?
2 http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate makes use of a wildcard certificate. I guess in that case it’s probably the same as a multidomain certificate?
2.1 is it possible to sign self-created certificates with the LE cert like an intermediate CA?


#2

Yes. If squid is configured as a HTTP(S) reverse proxy, it doesn’t have to disclose the backend server. You should probably still lock down the backend servers so that only the reverse proxy has access to it - not doing that is what often allows attackers to determine the IP address of sites using CDNs like CloudFlare, which try to hide the real IP address as well.

It doesn’t look like anything in that guide really requires wildcards, so a Multi-SAN (Multi-Domain) certificate should work just as well.[quote=“chiasa.men, post:1, topic:28288”]
2.1 is it possible to sign self-created certificates with the LE cert like an intermediate CA?
[/quote]

Unfortunately, that’s not possible. You’d have to essentially run and be audited as a CA (:moneybag::moneybag::moneybag:) before you could get an intermediate certificate from a publicly-trusted CA.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.