Squid Reverse Proxy with Domain Based Virtual Hosting for HTTPS

By 206rc, 2013年10月7日

タイトルの通り、Squid Reverse Proxy with Domain Based Virtual Hosting for HTTPのHTTPS版です。

クライアント(Webブラウザ) ⇔(HTTPS)⇔ Squid(Reverse Proxy) ⇔(HTTP)⇔ 実サーバ群

上記のようにクライアント(Webブラウザ)とSquid(Reverse Proxy)の間だけHTTPS(いわゆるSSL)なら設定は簡単です。
まぁ、何にしてもSquid(Reverse Proxy)に公開鍵証明書(SSL証明書)をインストールしないと先に進めないので、その説明から始めます(知っているよって人は読み飛ばしてください)。

1. プライベートCAの構築

[root@CentOS4 ~]# cd /etc/pki/tls/misc/
[root@CentOS4 misc]# ls -la
合計 56
drwxr-xr-x 2 root root 4096 10月  2 01:06 .
drwxr-xr-x 5 root root 4096 10月  2 01:06 ..
-rwxr-xr-x 1 root root 3758  3月  5  2013 CA
-rwxr-xr-x 1 root root  119  3月  5  2013 c_hash
-rwxr-xr-x 1 root root  152  3月  5  2013 c_info
-rwxr-xr-x 1 root root  112  3月  5  2013 c_issuer
-rwxr-xr-x 1 root root  110  3月  5  2013 c_name
[root@CentOS4 misc]# cp -p CA CA-original
[root@CentOS4 misc]# vi CA
[root@CentOS4 misc]# diff -u CA-original CA
--- CA-original 2013-03-05 20:26:13.000000000 +0900
+++ CA  2013-10-04 10:21:20.000000000 +0900
@@ -32,8 +32,8 @@

 if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi

-DAYS="-days 365"       # 1 year
-CADAYS="-days 1095"    # 3 years
+DAYS="-days 3650"      # 10 years
+CADAYS="-days 3650"    # 10 years
[root@CentOS4 misc]#


[root@CentOS4 misc]# cd /etc/pki/tls/
[root@CentOS4 tls]# ls
cert.pem  certs  misc  openssl.cnf  private
[root@CentOS4 tls]# cp -p openssl.cnf openssl.cnf-original
[root@CentOS4 tls]# vi openssl.cnf
[root@CentOS4 tls]# diff -u openssl.cnf-original openssl.cnf
--- openssl.cnf-original        2013-03-05 20:26:13.000000000 +0900
+++ openssl.cnf 2013-10-04 10:28:52.000000000 +0900
@@ -175,7 +175,7 @@
 # This goes against PKIX guidelines but some CAs do it and some software
 # requires this to avoid interpreting an end user certificate as a CA.


 # Here are some examples of the usage of nsCertType. If it is omitted
 # the certificate can be used for anything *except* object signing.
@@ -187,13 +187,13 @@
 # nsCertType = objsign

 # For normal client use this is typical
-# nsCertType = client, email
+nsCertType = client, email

 # and for everything including object signing:
 # nsCertType = client, email, objsign

 # This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+keyUsage = cRLSign, keyCertSign

 # This will be displayed in Netscape's comment listbox.
 nsComment                      = "OpenSSL Generated Certificate"
[root@CentOS4 tls]#


[root@CentOS4 tls]# cd /etc/pki/tls/misc/
[root@CentOS4 misc]# ./CA -newca
mkdir: ディレクトリ `../../CA' を作成できません: ファイルが存在します
mkdir: ディレクトリ `../../CA/private' を作成できません: ファイルが存在します
CA certificate filename (or enter to create) (改行のみ)

Making CA certificate ...
Generating a 1024 bit RSA private key
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase: (パスフレーズを入力。入力した文字は表示されない)
Verifying - Enter PEM pass phrase: (パスフレーズを再入力)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Yamagata
Locality Name (eg, city) [Newbury]:Yamagata-shi
Organization Name (eg, company) [My Company Ltd]:Example Corp.
Organizational Unit Name (eg, section) []: (改行のみ)
Common Name (eg, your name or your server's hostname) []:PrivateCA
Email Address []: (改行のみ)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (改行のみ)
An optional company name []: (改行のみ)
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
            Not Before: Oct  4 01:31:14 2013 GMT
            Not After : Oct  2 01:31:14 2023 GMT
            countryName               = JP
            stateOrProvinceName       = Yamagata
            organizationName          = Example Corp.
            commonName                = PrivateCA
        X509v3 extensions:
            X509v3 Basic Constraints:
            Netscape Cert Type:
                SSL Client, S/MIME
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

Certificate is to be certified until Oct  2 01:31:14 2023 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
[root@CentOS4 misc]#


[root@CentOS4 misc]# cd /etc/pki/CA/
[root@CentOS4 CA]# openssl x509 -inform pem -in ./cacert.pem -outform der -out ./cacert.der
[root@CentOS4 CA]# ls -l
合計 92
-rw-r--r-- 1 root root  706 10月  4 10:34 cacert.der
-rw-r--r-- 1 root root 3238 10月  4 10:31 cacert.pem
-rw-r--r-- 1 root root  655 10月  4 10:31 careq.pem
drwxr-xr-x 2 root root 4096 10月  4 10:29 certs
drwxr-xr-x 2 root root 4096 10月  4 10:29 crl
-rw-r--r-- 1 root root   83 10月  4 10:31 index.txt
-rw-r--r-- 1 root root   21 10月  4 10:31 index.txt.attr
-rw-r--r-- 1 root root    0 10月  4 10:29 index.txt.old
drwxr-xr-x 2 root root 4096 10月  4 10:31 newcerts
drwx------ 2 root root 4096 10月  4 10:29 private
-rw-r--r-- 1 root root    3 10月  4 10:31 serial
-rw-r--r-- 1 root root    3 10月  4 10:29 serial.old
[root@CentOS4 CA]#


One Comment

  1. Admiring the time and energy you put into your site and in depth information you offer.
    It’s good to come across a blog every once in a while that isn’t the same unwanted rehashed material.
    Great read! I’ve saved your site and I’m adding your RSS feeds to
    my Google account.

What do you think?


メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

次のHTML タグと属性が使えます: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>