Otdfbt

What would be the way to say "just saying" in German? (Not the literal translation)

Does putting salt first make it easier for attacker to bruteforce the hash?

What standard algorithm can determine if exactly one of a container satisfies a predicate?

USGS Relief map (GeoTIFF raster) misaligns with vector layers (QGIS)

With Ubuntu 18.04, how can I have a hot corner that locks the computer?

Generate basis elements of the Steenrod algebra

Separate SPI data

Which is the better way to call a method that is only available to one class that implements an interface but not the other one?

If there's something that implicates the president why is there then a national security issue? (John Dowd)

Electricity free spaceship

Why does this query, missing a FROM clause, not error out?

AMPScript SMS InsertDE() function not working in SMS

How can I end combat quickly when the outcome is inevitable?

How to communicate to my GM that not being allowed to use stealth isn't fun for me?

Why am I getting a strange double quote (“) in Open Office instead of the ordinary one (")?

60s or 70s novel about Empire of Man making 1st contact with 1st discovered alien race

Single-key teletype?

Smart-expansion of a range to a list of numbers

Excel division by 0 error when trying to average results of formulas

What are some really overused phrases in French that are common nowadays?

Is it expected that a reader will skip parts of what you write?

How can I remove material from this wood beam?

New bike, tubeless tire will not inflate

I have a problematic assistant manager, but I can't fire him

Squid reverse proxy with multiple SSL-certificates via SNI

Multiple SSL certificates with Squid reverse proxySquid and SSL Reverse ProxyMultiple SSL domains on the same IP address and same port?nginx as reverse proxy with upstream SSLMultiple SSL certificates with Squid reverse proxyCan a Reverse Proxy use SNI with SSL pass through?Squid: how to enable verification for SSL self-signed certificatesIIS 8 - Default SSL Site Breaks SNISquid HTTPS intercept generates certifcate for IP instead of hostnameTLS/SSL - Does SNI Have a Limit on Number of Domains Running on Nginx?Apache SNI Issues with SSL Certificates

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

1

Does squid Proxy Server offer the possibility to supply multiple SSL certificates to it?

I have a server with various virtual machines running Apache web servers for different customers. As an economic alternative to sell customers one dedicated IP address I would like to at least (explain the consequences of and) offer them a solution using sni on the server machine's shared IP.

So let's say we have a Server with 4 domains: domain1a.com, domain1b.com, domain2a.com and domain2b.com. Domain domaina1.com and domainb1.com are hosted by the same Apache instance within a virtual machine, and so are the other two domains. Each virtual machine has a NAT translated, local IPv4 IP address, to which the requests ought to be sent.

All HTTP(S) requests shall go through a caching proxy server for speed and sharing the server IP. Thus, the solution should offer SSL termination and SNI.

Back in 2013 the answer to this question pointed out Squid's incapability of SNI. However, since Squid 3.5 it supports SNI with peek-and-splice.

As far as I found out, the options with Squid I have are

1. use a self-signed CA and dynamic certificate generation , or


2. use a certificate with multiple SAN names listing all domains hosted on the (physical) server.

(1) does not work obviously, because we can't install a self-signed CA cert on every website visitor's computer (thankfully!).

(2) does not work for me, because it would be very inflexible and reveal each and every domain hosted on the (physical) server machine.

Did I miss something here? Can I provide Squid with multiple SSL certificates for SNI? If that is not possible: what alternatives would match my situation?

Thanks in advance!

ssl-certificate reverse-proxy https squid sni

share|improve this question

edited Apr 13 '17 at 12:14

Community♦

1

asked Jun 27 '16 at 15:59

DortonDorton

64

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Why squid? It is mostly used for being a proxy for multiple clients not as a reverse proxy in front of a webserver. Use something like varnish, apache, nginx or caddy as reverse proxy. Caddy even provides you automatic letsencrypt certificates.
  
  – TabTwo
  May 24 at 22:49
  

  
  
  
  

add a comment | 

1

Does squid Proxy Server offer the possibility to supply multiple SSL certificates to it?

I have a server with various virtual machines running Apache web servers for different customers. As an economic alternative to sell customers one dedicated IP address I would like to at least (explain the consequences of and) offer them a solution using sni on the server machine's shared IP.

So let's say we have a Server with 4 domains: domain1a.com, domain1b.com, domain2a.com and domain2b.com. Domain domaina1.com and domainb1.com are hosted by the same Apache instance within a virtual machine, and so are the other two domains. Each virtual machine has a NAT translated, local IPv4 IP address, to which the requests ought to be sent.

All HTTP(S) requests shall go through a caching proxy server for speed and sharing the server IP. Thus, the solution should offer SSL termination and SNI.

Back in 2013 the answer to this question pointed out Squid's incapability of SNI. However, since Squid 3.5 it supports SNI with peek-and-splice.

As far as I found out, the options with Squid I have are

1. use a self-signed CA and dynamic certificate generation , or


2. use a certificate with multiple SAN names listing all domains hosted on the (physical) server.

(1) does not work obviously, because we can't install a self-signed CA cert on every website visitor's computer (thankfully!).

(2) does not work for me, because it would be very inflexible and reveal each and every domain hosted on the (physical) server machine.

Did I miss something here? Can I provide Squid with multiple SSL certificates for SNI? If that is not possible: what alternatives would match my situation?

Thanks in advance!

ssl-certificate reverse-proxy https squid sni

share|improve this question

edited Apr 13 '17 at 12:14

Community♦

1

asked Jun 27 '16 at 15:59

DortonDorton

64

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Why squid? It is mostly used for being a proxy for multiple clients not as a reverse proxy in front of a webserver. Use something like varnish, apache, nginx or caddy as reverse proxy. Caddy even provides you automatic letsencrypt certificates.
  
  – TabTwo
  May 24 at 22:49
  

  
  
  
  

add a comment | 

Does squid Proxy Server offer the possibility to supply multiple SSL certificates to it?

I have a server with various virtual machines running Apache web servers for different customers. As an economic alternative to sell customers one dedicated IP address I would like to at least (explain the consequences of and) offer them a solution using sni on the server machine's shared IP.

So let's say we have a Server with 4 domains: domain1a.com, domain1b.com, domain2a.com and domain2b.com. Domain domaina1.com and domainb1.com are hosted by the same Apache instance within a virtual machine, and so are the other two domains. Each virtual machine has a NAT translated, local IPv4 IP address, to which the requests ought to be sent.

All HTTP(S) requests shall go through a caching proxy server for speed and sharing the server IP. Thus, the solution should offer SSL termination and SNI.

Back in 2013 the answer to this question pointed out Squid's incapability of SNI. However, since Squid 3.5 it supports SNI with peek-and-splice.

As far as I found out, the options with Squid I have are

1. use a self-signed CA and dynamic certificate generation , or


2. use a certificate with multiple SAN names listing all domains hosted on the (physical) server.

(1) does not work obviously, because we can't install a self-signed CA cert on every website visitor's computer (thankfully!).

(2) does not work for me, because it would be very inflexible and reveal each and every domain hosted on the (physical) server machine.

Did I miss something here? Can I provide Squid with multiple SSL certificates for SNI? If that is not possible: what alternatives would match my situation?

Thanks in advance!

ssl-certificate reverse-proxy https squid sni

share|improve this question

edited Apr 13 '17 at 12:14

Community♦

1

asked Jun 27 '16 at 15:59

DortonDorton

64

share|improve this question

edited Apr 13 '17 at 12:14

Community♦

1

asked Jun 27 '16 at 15:59

DortonDorton

64

share|improve this question

edited Apr 13 '17 at 12:14

Community♦

1

asked Jun 27 '16 at 15:59

DortonDorton

64

edited Apr 13 '17 at 12:14

Community♦

1

edited Apr 13 '17 at 12:14

Community♦

1

asked Jun 27 '16 at 15:59

DortonDorton

64

asked Jun 27 '16 at 15:59

DortonDorton

64

1 Answer
1

active

oldest

votes

0

Unfortunately the answer is still no. The current reason is just that the final bits of necessary plumbing does not exist yet. All the components needed exist in Squid-4 and are used for TLS interception. But they still have yet to be joined up in a way suitable for use in reverse-proxy.

share|improve this answer

answered Sep 28 '16 at 3:02

Amos JeffriesAmos Jeffries

24015

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @amos-jefferies is http2 and sni work related for reverse proxy scenario? Is this the best place to track http2 wiki.squid-cache.org/Features/HTTP2 status. I have to say that I really like squid. (and I'd hate to change it, but google is pushing ssl for every site and SNI is then the only option =( )
  
  – Manwe
  Nov 21 '16 at 7:40
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f786546%2fsquid-reverse-proxy-with-multiple-ssl-certificates-via-sni%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Unfortunately the answer is still no. The current reason is just that the final bits of necessary plumbing does not exist yet. All the components needed exist in Squid-4 and are used for TLS interception. But they still have yet to be joined up in a way suitable for use in reverse-proxy.

share|improve this answer

answered Sep 28 '16 at 3:02

Amos JeffriesAmos Jeffries

24015

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @amos-jefferies is http2 and sni work related for reverse proxy scenario? Is this the best place to track http2 wiki.squid-cache.org/Features/HTTP2 status. I have to say that I really like squid. (and I'd hate to change it, but google is pushing ssl for every site and SNI is then the only option =( )
  
  – Manwe
  Nov 21 '16 at 7:40
  

  
  
  
  

add a comment | 

0

Unfortunately the answer is still no. The current reason is just that the final bits of necessary plumbing does not exist yet. All the components needed exist in Squid-4 and are used for TLS interception. But they still have yet to be joined up in a way suitable for use in reverse-proxy.

share|improve this answer

answered Sep 28 '16 at 3:02

Amos JeffriesAmos Jeffries

24015

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @amos-jefferies is http2 and sni work related for reverse proxy scenario? Is this the best place to track http2 wiki.squid-cache.org/Features/HTTP2 status. I have to say that I really like squid. (and I'd hate to change it, but google is pushing ssl for every site and SNI is then the only option =( )
  
  – Manwe
  Nov 21 '16 at 7:40
  

  
  
  
  

add a comment | 

Unfortunately the answer is still no. The current reason is just that the final bits of necessary plumbing does not exist yet. All the components needed exist in Squid-4 and are used for TLS interception. But they still have yet to be joined up in a way suitable for use in reverse-proxy.

share|improve this answer

answered Sep 28 '16 at 3:02

Amos JeffriesAmos Jeffries

24015

share|improve this answer

answered Sep 28 '16 at 3:02

Amos JeffriesAmos Jeffries

24015

answered Sep 28 '16 at 3:02

Amos JeffriesAmos Jeffries

24015

answered Sep 28 '16 at 3:02

Amos JeffriesAmos Jeffries

24015