How to configure Squid Reverse proxy to access the VIP Enterprise Gateway Self-Service Portal IDP
Last Updated July 31, 2017
A reverse proxy server is a type of proxy server that inspects, transforms and routes web requests before they reach your web servers. It retrieves the resources on behalf of a client from one or more servers, and returns those requests to the client as though it originated from the reverse proxy itself. This increases security by cloaking your network topology and back-end servers by removing the need for direct internet access to them.
Sample reverse proxy layout:
A reverse proxy server is an alternative to the SSP IdP Proxy that was removed from VIP EG 9.8. Various reverse proxies are available and individual configurations will vary depending on the product being used. Refer to the reverse proxy software vendor for documentation, installation and configuration assistance. To protect your data and data privacy, Symantec cannot provide 3rd party installation instructions.
The following are sample general instructions for configuring for an Apache Squid proxy for use with Symantec VIP. Please refer to http://www.squid-cache.org/ for additional
An active Apache Squid installation
VIP Enterprise Gateway with the SSP IDP component configured
3. CREATE A WILDCARD SSL CERTIFICATE WITH OPENSSL:
The wild card certificate is created for your domain (e.g, *.secureproxy.com)
Name the domains in-line as the certificate is created (e.g., *.secureproxy.com)
[demoCA]#openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes Generating a 2048 bit RSA private key .......................................+++ ..................+++ writing new private key to 'cert.pem' -----
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :India Locality Name (eg, city) [Default City]:Bangalore Organization Name (eg, company) [Default Company Ltd]:Symantec Organizational Unit Name (eg, section) :EG Common Name (eg, your name or your server's hostname) :*.secureproxy.com Email Address :firstname.lastname@example.org
Add each SSP site in the squid Configuration File. By default, this file is located here: /etc/squid/squid.conf cache_peer <EG SSP IDP Hostname> parent <SSP IDP Port(8233)> 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=<websitename> acl <sites_server_1> dstdomain websitea.secureproxy.com cache_peer_access <websitename> allow <sites_server_1> http_access allow <sites_server_1>
If SSL is used, sslflags=DONT_VERIFY_PEER is useful if using a self-signed cert.
Dstdomain name should be in the same domain to which the wild card cert was created earlier.
websitea.secureproxy.com is chosen as the wild card cert. It is created to the *.secureproxy.com domain. Any dstdomain <name>.secureproxy.com can be chosen.
A sample squid.conf with minimal configuration changes is attached to this article. Notice that the HTTPS reverse proxy is set.
The configurations must appear at the top of squid.conf above all other forward-proxy configurations (e.g., http_access, etc.). Otherwise, the standard proxy access rules may block the viewing of the accelerated site.
Check that the Enterprise Gateway hostname can be resolved by the Squid reverse proxy.
Ensure dstdomain is within in the same domain in the wild card certificate
4. RESTART THE SQUID REVERSE PROXY
Sample command for restarting the Squid Reverse Proxy: service squid restart
5. CONFIGURE THE VIP ENTERPRISE GATEWAY
Ensure the dstdomain set in Squid (e.g., websitea.secureproxy.com) can be resolved by the VIP Enterprise Gateway.
Ensure the load balancer URL in the VIP Enterprise Gateway SSP configuration page is set to dstdomain (e.g., https://websitea.secureproxy.com).
6. SETUP COMPLETE! TEST THE REVERSE PROXY SETUP
The SSP Login URL will be https://dstdomain (e.g., https://websitea.secureproxy.com)