SquidGuard is a URL redirector used to use blacklists with the proxysoftware Squid. There are two big advantages to squidguard: it is fast and it is free.
Lets Encrypt
LetsEncrypt
On CentOS 7, enable the optional channel for the EPEL repository:
yum -y install yum-utils
yum -y install epel-release
Then install certbot:
yum install certbot
Pound as SSL proxy
Edit /usr/local/etc/pound.cfg
to redirect Certbot verifications:
Service
URL "^/\.well-known.*?$"
BackEnd
Address 127.0.0.1
Port 8080
End
End
Restart Pound (svc -t /service/pound
and test getting a certificate:
certbot certonly --dry-run -d test.domain.com --webroot -w /var/websites/private/htdocs
If doesn't work, fix Pound config, then get a certificate:
certbot certonly -d test.domain.com --webroot -w /var/websites/private/htdocs
Pound needs the cert components in one .pem file:
cd /etc/letsencrypt/live/test.domain.com
cat privkey.pem fullchain.pem > combined-for-pound.pem
chmod 400 combined-for-pound.pem
Create the HTTPS config for Pound:
ListenHTTPS
Address xxx.xxx.xxx.xxx
Port 443
Disable SSLv2
Disable SSLv3
Cert "/etc/letsencrypt/live/test.domain.com/combined-for-pound.pem"
SSLHonorCipherOrder 1
Ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Service
HeadRequire "Host:.*test.domain.com.*"
BackEnd
Address 127.0.0.1
Port 8080
End
End
End
Create a renewal-hook in /etc/letsencrypt/renewal-hooks/deploy/combine-certs-for-pound.sh
to automatically combine the certifcate files for Pound:
#!/bin/sh
privkey="$RENEWED_LINEAGE/privkey.pem"
fullchain="$RENEWED_LINEAGE/fullchain.pem"
combined="$RENEWED_LINEAGE/combined-for-pound.pem"
cat "$privkey" "$fullchain" > "$combined"
chmod 400 $combined
svc -t /service/pound
Make it executable:
chmod ugo+x /etc/letsencrypt/renewal-hooks/deploy/combine-certs-for-pound.sh
- Log in to post comments