Squid Reverse Proxy with Domain Based Virtual Hosting for HTTPS

タイトルの通り、Squid Reverse Proxy with Domain Based Virtual Hosting for HTTPのHTTPS版です。

クライアント(Webブラウザ) ⇔(HTTPS)⇔ Squid(Reverse Proxy) ⇔(HTTP)⇔ 実サーバ群

上記のようにクライアント(Webブラウザ)とSquid(Reverse Proxy)の間だけHTTPS(いわゆるSSL)なら設定は簡単です。
まぁ、何にしてもSquid(Reverse Proxy)に公開鍵証明書(SSL証明書)をインストールしないと先に進めないので、その説明から始めます(知っているよって人は読み飛ばしてください)。

1. プライベートCAの構築

[[email protected] ~]# cd /etc/pki/tls/misc/
[[email protected] misc]# ls -la
合計 56
drwxr-xr-x 2 root root 4096 10月  2 01:06 .
drwxr-xr-x 5 root root 4096 10月  2 01:06 ..
-rwxr-xr-x 1 root root 3758  3月  5  2013 CA
-rwxr-xr-x 1 root root  119  3月  5  2013 c_hash
-rwxr-xr-x 1 root root  152  3月  5  2013 c_info
-rwxr-xr-x 1 root root  112  3月  5  2013 c_issuer
-rwxr-xr-x 1 root root  110  3月  5  2013 c_name
[[email protected] misc]# cp -p CA CA-original
[[email protected] misc]# vi CA
[[email protected] misc]# diff -u CA-original CA
--- CA-original 2013-03-05 20:26:13.000000000 +0900
+++ CA  2013-10-04 10:21:20.000000000 +0900
@@ -32,8 +32,8 @@

 if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi

-DAYS="-days 365"       # 1 year
-CADAYS="-days 1095"    # 3 years
+DAYS="-days 3650"      # 10 years
+CADAYS="-days 3650"    # 10 years
[[email protected] misc]#


[[email protected] misc]# cd /etc/pki/tls/
[[email protected] tls]# ls
cert.pem  certs  misc  openssl.cnf  private
[[email protected] tls]# cp -p openssl.cnf openssl.cnf-original
[[email protected] tls]# vi openssl.cnf
[[email protected] tls]# diff -u openssl.cnf-original openssl.cnf
--- openssl.cnf-original        2013-03-05 20:26:13.000000000 +0900
+++ openssl.cnf 2013-10-04 10:28:52.000000000 +0900
@@ -175,7 +175,7 @@
 # This goes against PKIX guidelines but some CAs do it and some software
 # requires this to avoid interpreting an end user certificate as a CA.


 # Here are some examples of the usage of nsCertType. If it is omitted
 # the certificate can be used for anything *except* object signing.
@@ -187,13 +187,13 @@
 # nsCertType = objsign

 # For normal client use this is typical
-# nsCertType = client, email
+nsCertType = client, email

 # and for everything including object signing:
 # nsCertType = client, email, objsign

 # This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+keyUsage = cRLSign, keyCertSign

 # This will be displayed in Netscape's comment listbox.
 nsComment                      = "OpenSSL Generated Certificate"
[[email protected] tls]#


[[email protected] tls]# cd /etc/pki/tls/misc/
[[email protected] misc]# ./CA -newca
mkdir: ディレクトリ `../../CA' を作成できません: ファイルが存在します
mkdir: ディレクトリ `../../CA/private' を作成できません: ファイルが存在します
CA certificate filename (or enter to create) (改行のみ)

Making CA certificate ...
Generating a 1024 bit RSA private key
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase: (パスフレーズを入力。入力した文字は表示されない)
Verifying - Enter PEM pass phrase: (パスフレーズを再入力)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Yamagata
Locality Name (eg, city) [Newbury]:Yamagata-shi
Organization Name (eg, company) [My Company Ltd]:Example Corp.
Organizational Unit Name (eg, section) []: (改行のみ)
Common Name (eg, your name or your server's hostname) []:PrivateCA
Email Address []: (改行のみ)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (改行のみ)
An optional company name []: (改行のみ)
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
            Not Before: Oct  4 01:31:14 2013 GMT
            Not After : Oct  2 01:31:14 2023 GMT
            countryName               = JP
            stateOrProvinceName       = Yamagata
            organizationName          = Example Corp.
            commonName                = PrivateCA
        X509v3 extensions:
            X509v3 Basic Constraints:
            Netscape Cert Type:
                SSL Client, S/MIME
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

Certificate is to be certified until Oct  2 01:31:14 2023 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
[[email protected] misc]#


[[email protected] misc]# cd /etc/pki/CA/
[[email protected] CA]# openssl x509 -inform pem -in ./cacert.pem -outform der -out ./cacert.der
[[email protected] CA]# ls -l
合計 92
-rw-r--r-- 1 root root  706 10月  4 10:34 cacert.der
-rw-r--r-- 1 root root 3238 10月  4 10:31 cacert.pem
-rw-r--r-- 1 root root  655 10月  4 10:31 careq.pem
drwxr-xr-x 2 root root 4096 10月  4 10:29 certs
drwxr-xr-x 2 root root 4096 10月  4 10:29 crl
-rw-r--r-- 1 root root   83 10月  4 10:31 index.txt
-rw-r--r-- 1 root root   21 10月  4 10:31 index.txt.attr
-rw-r--r-- 1 root root    0 10月  4 10:29 index.txt.old
drwxr-xr-x 2 root root 4096 10月  4 10:31 newcerts
drwx------ 2 root root 4096 10月  4 10:29 private
-rw-r--r-- 1 root root    3 10月  4 10:31 serial
-rw-r--r-- 1 root root    3 10月  4 10:29 serial.old
[[email protected] CA]#


Squid Reverse Proxy with Domain Based Virtual Hosting for HTTPS” に対して1件のコメントがあります。

  1. Admiring the time and energy you put into your site and in depth information you offer.
    It's good to come across a blog every once in a while that isn't the same unwanted rehashed material.
    Great read! I've saved your site and I'm adding your RSS feeds to
    my Google account.