SquidGuard is a URL redirector used to use blacklists with the proxysoftware Squid. There are two big advantages to squidguard: it is fast and it is free.
Pound SSL Proxy
Primary tabs
https://secwise.nl/lets-encrypt-certifcates-and-pound-load-balancer/
Certbot
Install certbot
yum -y install certbot
Enable automatic renewals:
systemctl start certbot-renew.timer
Create a web directory for the web challenges:
mkdir -p /var/lib/pound/acme/.well-known/acme-challenge
chown nobody:nobody /var/lib/pound/acme
Add the ACME challenge type to Pound's ListenHTTP
block in its configuration file /usr/local/etc/pound.cfg
:
ListenHTTP
ACME "/var/lib/pound/acme"
...
End
Restart pound:
svc -t /service/pound
The privkey.pem and fullchain.pem need to be merged for pound. Create /etc/letsencrypt/renewal-hooks/combined-for-pound.sh
with:
#!/bin/sh
privkey="$RENEWED_LINEAGE/privkey.pem"
fullchain="$RENEWED_LINEAGE/fullchain.pem"
combined="$RENEWED_LINEAGE/combined-for-pound.pem"
cat "$privkey" "$fullchain" > "$combined"
chmod 400 $combined
svc -t /service/pound
Make it executable:
chmod ugo+x /etc/letsencrypt/renewal-hooks/combined-for-pound.sh
Test requesting a cert:
certbot --run-deploy-hooks certonly --webroot -w /var/lib/pound/acme -d [DOMAIN] --dry-run
If it works, do it without the dry run:
certbot --run-deploy-hooks certonly --webroot -w /var/lib/pound/acme -d [DOMAIN]
If it doesn't work, add some debugging options:
certbot --run-deploy-hooks certonly --webroot -w /var/lib/pound/acme -d [DOMAIN] --dry-run --debug-challenges -v
Add the HTTPS directive to /usr/local/etc/pound.cfg
:
ListenHTTPS
Address 1.2.3.4
Port 443
Disable SSLv2
Disable SSLv3
Cert "/etc/letsencrypt/live/[DOMAIN]/combined-for-pound.pem"
SSLHonorCipherOrder 1
Ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Service
HeadRequire "Host:.*test1.mydomain.com.*"
BackEnd
Address 192.168.1.11
Port 80
End
End
End
Resources
Pound Reverse SSL Proxy for Multiple Servers
Pound, SSL and real Certificates, redux
- Log in to post comments