HTTP to HTTPS endpoint behind Squid using client certificate authentication (layer 7)

Is it possible to bind on HTTP while connecting to an HTTPS endpoint behind a Squid forwarding proxy using Client Certificate Authentication, while using Layer 7 proxy mode?

We have this already working using Apache HTTP server based on:

ProxyTimeout 600
ProxyRequests on
ProxyRemote "*" "http://squid-internet:3128"

<VirtualHost *:80>
  ServerName onloading-proxy-internet-endpoint-a

  Use SSLGeneric

  RequestHeader set CustomHeader "custom_value"
  RequestHeader unset SecretHeader

  SSLProxyMachineCertificateFile /usr/local/apache2/certs/keypair-internet.pem
  SSLProxyMachineCertificateChainFile /usr/local/apache2/certs/chain-internet.pem

  ProxyPass        /
  ProxyPassReverse /

We want to replace Apache HTTP server because HAProxy has opentracing support en we need this.

We are using haproxy-2.4-dev15 and the config we came up with is:

frontend onloading-proxy
    bind *:80

    filter opentracing id ot-fe config /usr/local/etc/haproxy/ot.cfg

    use_backend be_ca_verbindingstest if { hdr(host) -i onloading-proxy-internet-endpoint-a }
    default_backend be_default

backend be_ca_verbindingstest
    mode http
    http-request set-header
    http-request set-uri https://%[req.hdr(Host)]%[path]?%[query]
    option forwardfor header X-Client
    #option 1: Response is 400; No SSL client certificate presented to internet-endpoint-a
    server squid-proxy-internet crt /usr/local/etc/haproxy/certs/keypair-internet.pem ca-file /usr/local/etc/haproxy/certs/truststore-internet-endpoints.pem
    #option 2: Response is 502 service unavailable
    #server squid-proxy-internet ssl crt /usr/local/etc/haproxy/certs/keypair-internet.pem ca-file /usr/local/etc/haproxy/certs/truststore-internet-endpoints.pem

backend be_default
    http-request deny deny_status 400

The next curl test on the HAProxy pod results in a 200:

curl -x -k -v --key /usr/local/etc/haproxy/certs/internet-keypair.pem --cert /usr/local/etc/haproxy/certs/internet-keypair.pem

The whole idea behind this setup is to keep the infrastructure related stuff (request headers, certificates, routing, etc. ) in the onloading proxy service and by doing so keeping our Applications unaware of them and less complex.

Once again, my question is this possible and if so how?

Ask this question on the mailling list and got this anwser:


Is it possible with HAProxy, to have a frontend which binds on HTTP that > refers to a backend that connects to an HTTPS endpoint using Client > Certificate Authentication while reaching it via a Squid forwarding proxy?


If this requires to send a CONNECT request to Squid, then no as we have not implemented a CONNECT encapsulation for outgoing connections yet. But if you just need to connect to Squid using HTTPS and let it deal with the request, then you should have no issue. Note that I’m pretty sure that Squid supports listening to incoming SSL connections, so even if that’s not what you’re doing, it probably is the right way to proceed.

Hoping this helps,