Squid 配置 SSL 转发

本文的试验环境的SQUID版本为“squid-2.6.STABLE21-6”
配置SQUID的config文件/etc/squid/squid.conf. 其中192.168.0.10为真正的SSL服务器的地址。路径“cert=/usr/newgate/CertAuth/testcert.cert key=/usr/newgate/CertAuth/testkey.pem”为本地SSL证书的存放地址和位置，此证书为SQUID使用。

acl all src 0.0.0.0/0.0.0.0
https_port 443 cert=/usr/newgate/CertAuth/testcert.cert key=/usr/newgate/CertAuth/testkey.pem defaultsite=mywebsite.mydomain.com vhost

# Third HTTPS peer
cache_peer 192.168.0.10 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=Exchange

cache_peer_access Exchange allow all
http_access allow all
visible_hostname Test
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_reply_access allow all
access_log /var/log/squid/access.log squid
coredump_dir /var/spool/squid
emulate_httpd_log on
log_fqdn on

证书的配置
找到openssl的配置文件地址并进行修改。

# rpm -ql openssl|grep openssl.cnf
/etc/pki/tls/openssl.cnf

#vi /etc/pki/tls/openssl.cnf

>>> 将文件替换成如下内容 <<<

HOME= .
RANDFILE= $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca  = CA_default# The default ca section
[ CA_default ]
dir = /usr/newgate/CertAuth  # Where everything is kept
certs   = $dir/certs# Where the issued certs are kept
crl_dir = $dir/crl  # Where the issued crl are kept
database= $dir/index.txt# database index file.
new_certs_dir   = $dir/certs# default place for new certs.
certificate = $dir/cacert.pem   # The CA certificate
serial  = $dir/serial   # The current serial number
crl = $dir/crl.pem  # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE= $dir/private/.rand# private random number file
x509_extensions = usr_cert  # The extentions to add to the cert
name_opt= ca_default# Subject Name options
cert_opt= ca_default# Certificate field options
default_days= 365   # how long to certify for
default_crl_days= 30# how long before next CRL
default_md  = md5   # which md to use.
preserve= no# keep passed DN ordering
policy  = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName= match
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName= optional
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional
[ req ]
default_bits= 1024
default_keyfile = /usr/newgate/CertAuth/private/cakey.pem
distinguished_name  = req_distinguished_name
attributes  = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Berkshire
localityName= Locality Name (eg, city)
localityName_default= Newbury
0.organizationName  = Organization Name (eg, company)
0.organizationName_default  = My Company Ltd
organizationalUnitName  = Organizational Unit Name (eg, section)
commonName  = Common Name (eg, your name or your server's hostname)
commonName_max  = 64
emailAddress= Email Address
emailAddress_max= 64
[ req_attributes ]
challengePassword   = A challenge password
challengePassword_min   = 4
challengePassword_max   = 20
unstructuredName= An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

建立CA（certificate authority）
# cd /usr
# mkdir newgate; cd newgate
# mkdir CertAuth; cd CertAuth
# mkdir certs; mkdir private
# chmod 700 private
# echo '01' > serial
# touch index.txt

#openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1000

生成证书

#openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM -nodes

>>> 输入相关信息 <<<

Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:UP
Locality Name (eg, city) [Newbury]:Noida
Organization Name (eg, company) [My Company Ltd]:Pie Dreams
Organizational Unit Name (eg, section) []:Pie Solutions
Common Name (eg, your name or your server's hostname) []:*.mydomain.com
Email Address []:shekharsahab14@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:i am a good boy
An optional company name []: PRESS ENTER

签发证书

#openssl ca -in testreq.pem -notext -out testcert.cert

>>> 输入相关信息,例如下 <<<

Using configuration from /etc/CertAuth/openssl.cnf
Enter pass phrase for /etc/CertAuth/private/cakey.pem:secretcode
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName   :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'UP'
localityName  :PRINTABLE:'Noida'
organizationName  :PRINTABLE:'Pie Dreams'
organizationalUnitName:PRINTABLE:'Pie Solutions'
commonName:PRINTABLE:'mydomain.com'
emailAddress  :IA5STRING:'shekharsahab14@gmail.com'
Certificate is to be certified until Oct 18 22:54:31 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

重启squid后配置生效。

参考链接: http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate

您可能感兴趣的文章：