Re: [squid-users] Squid proxy server - Client certificate (reverse proxy)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 01 Feb 2011 09:52:35 +1300

On 01/02/11 09:01, Qvalpro Solutions wrote:
> Hi Amos,
>
> Thanks for the detailed response. I tried configuring Squid, but
> couldn't get it working yet.
>
> Can you please elaborate "You setup Squid as a reverse-proxy and make
> old billing application believe Squid is the Payway system. Usually
> via DNS". Sorry if this sounds dumb.
>
> Steps followed by myself:
> 1. Downloaded Squid 2.7 STABLE8 (reverse proxy with SSL support) and
> installed it in my windows server which has the billing application
> 2. Started the Squid service and stored the Payway's digital
> certificate inside the "payway" directory in C: of the windows server
> 3. Added the following options to the squid.conf file:
> https_port accel defaultsite=https://ccapi.client......./ccapi
> cert=C:\payway\ccapi.pem

defaultsite is the domain name only. ie defaultsite=ccapi.example.com

> cache_peer ssl sslcert=C:\payway\ccapi.pem

I presume this works like all the other web API billing systems I've
seen. With the client connects to you like so?
   client -> billing -> squid -> payway

In which case you would use:
   https_port 443 accel defaultsite=ccapi.example.com
sslcert=<something-self-signed>
   cache_peer ccapi.example.com parent 443 0 no-query ssl sslcert=...

to produce:
   client -> billing --(SSL internal unverified)--> squid --(SSL
certificate verified)--> payway

The sslcert= for the https_port line can be something self-signed that
the billing system trusts but nobody anywhere else knows about. By
default squid will accept any client who can perform SSL.

If the billing system can be configured to use a proxy for internet
access that is even better, you can remove the http_port line tricks and
just use "http_port 3128" and "never_direct allow all".

OR, you could make the billing->squid section work without SSL at all.
Just make sure the billing system works with http:// URLs and setup
http_port 80 accel defaultsite=.

> 4. Tried to initiate a test transaction from the billing application,
> but it didn't work.
>
> Assumptions made:
> 1. I have stored the Payway related details (aforementioned https URL,
> username, password& Merchant ID for the API) in the billing system
> installed in the windows server. I hope that when the billing
> application tries to process a credit card payment, the proxy will
> automatically take over the transaction.
> 2. I have not added the username/password of the API to the Squid
> configuration. Please let me know if I need to add the details in
> Squid proxy too and if yes, kindly provide me the syntax to be used.
>

Most types of auth you will only need "login=PASS" (exact text) on the
cache_peer line and the credentials at the billing system end point.

> Please let me know if I am going in the right direction.
>
> Thanks,
> KB.
>
> On Fri, Jan 28, 2011 at 11:08 AM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>> On 28/01/11 07:48, Qvalpro Solutions wrote:
>>>
>>> Hi Folks,
>>>
>>> I just started exploring Squid proxy and I am clueless of how to use
>>> Squid in my setup.
>>>
>>> Some background on why I am trying to use the Squid proxy:
>>> I have a billing application installed in a windows server. This
>>> particular billing application uses some proprietary file system,
>>> which cannot be customized. I have purchased a Payway API account
>>> (Payway API is nothing but a payment processing system for credit
>>> cards) for using with the billing application. I just noticed that the
>>> Payway API needs a digital certificate to be installed for processing
>>> the payments. Unfortunately, my billing application doesn't allow any
>>> certificate installation. When I spoke to the billing application
>>> development company and Payway, they suggested me to use the Squid
>>> proxy to workaround the problem. I was also told that the Squid proxy
>>> can provide the client certificate.
>>>
>>> As I don't have adequate exposure to setting up proxy servers, I have
>>> the following questions:
>>> 1. Can I install the Squid proxy in the same server where my billing
>>> application is located?
>>
>> Yes.
>>
>> Additional problem though: Windows Squid builds only have experimental SSL
>> support and are limited to squid-2.7 for now.
>>
>> If you need to do this for Windows please contact Guido at Acme Consulting
>> (http://squid.acmeconsulting.it/) for support.
>>
>>
>>> 2. How do I connect the billing application to the Squid Proxy? Do I
>>> need to use some port for this and how am I supposed to connect the
>>> Squid Proxy to the Payway API?
>>
>> You setup Squid as a reverse-proxy and make old billing application believe
>> Squid is the Payway system. Usually via DNS. Squid handles the rest once
>> requests are arriving nicely to it.
>>
>> Start with this:
>> http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
>> it covers the very simple config just to get an accelerator working. Stuff
>> like SSL require additional config.
>>
>>> 3. How do I install the digital certificate provided by Payway in the
>>> Squid proxy and what format of digital certificate is to be used -
>>> .net or PHP or ASP or something else?
>>
>> Squid uses .PEM format certificates.
>>
>> After doing the setup from your question 2. You configure Squid to use them
>> with additional options on the cache_peer line.
>> Set the "ssl" flag to enable SSL on the link then any of the other ssl*=
>> options as needed by the Payway system.
>>
>> http://www.squid-cache.org/Doc/config/cache_peer/
>>
>> (snipped Q4-6 since they are answerd above as well).
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE9 or 3.1.10
>> Beta testers wanted for 3.2.0.4
>>

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Mon Jan 31 2011 - 20:52:41 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST