IMPORTANT NOTE: This document only outlines the additional requirements for configuring SSL in a Squid reverse proxy / accelerator. Additional configuration parameters are required for Squid to operate.
Squid expects the certificate in a single PEM-formatted file - the private key first, then the public key and lastly the CA certificate chain, like so:
-----BEGIN RSA PRIVATE KEY----- ## ## encoded private key data ## -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ## ## encoded SSL certificate data ## -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ## ## encoded CA certificate data ## -----END CERTIFICATE-----
The important squid configuration commands are "https_port" (this configures what Squid listens on, and what certificate it presents) and "cache_peer" (this configures what server Squid passes the requests to, and in what manner it passes those requests).
For "https_port", the configuration looks like the following:
https_port xx.xx.xx.xx:443 cert=/path/to/cert.pem defaultsite=www.symantec.com
In the above example, 'xx.xx.xx.xx' is the IP address of the Squid server, 'cert.pem' is the full certificate chain (and private key) in a single PEM-formatted file and 'www.symantec.com' is the website / common name being secured.
For "cache_peer", the configuration changes depending on whether the web server "behind" the Squid cache has a SSL certificate on it or not:
cache_peer xx.xx.xx.xx parent 80 0 no-query originserver cache_peer xx.xx.xx.xx parent 443 0 ssl no-query originserver
The first line is needed if the web server has no SSL, the second if the web server has SSL. In the above examples, 'xx.xx.xx.xx' is the IP address of the web server, 'parent' specifies the relationship between the site and the proxy, '80' or '443' is the port that the web server is listening on, '0' refers to the ICP port (and should be off), 'ssl' indicates that the connection between the site and the proxy should be encrypted, 'no-query' means that ICP queries should not be sent and 'originserver' tells Squid to accelerate connections for this site.
Outlook Web Access requires additional parameters for "cache_peer" - please see the following examples:
cache_peer xx.xx.xx.xx parent 80 0 no-query originserver login=PASS front-end-https=on cache_peer xx.xx.xx.xx parent 443 0 ssl no-query originserver login=PASS
Per the examples above, the first line is for web servers without SSL, the second line for web servers with SSL. The additional commands - 'login=PASS' specifies that the server requires authentication (maybe not required?) and 'front-end-https=ON' inserts a required header in to the http request that OWA expects to see.