Re: [SQU] SSL Gatewaying

From: Colin Campbell <sgcccdc@dont-contact.us>
Date: Fri, 23 Feb 2001 13:44:02 +1000 (EST)

Hi,

On Thu, 22 Feb 2001, John Castillo wrote:

> seems to me that with the SSL Gatewaying patch, squid understands what to do
> with a https request... essentially it takes the encrypted request, decrypts
> it, then goes along its way to serve as a client to whatever information was
> requested by the browser. so what i guess needs to happen is BEFORE squid
> goes on its way, is it needs to somehow make a client https request to the
> internal https server and grab the data. then decrypt it, and finally
> reencrypt it with the squid cert and back to the browser. does this sound
> right?

Does to me.

>
> when you said DIFFERENT session what did you mean? another squid session?
> how is this setup? i'm sorta lost now... there doesn't seem to be much info
> on stunnel's, sslwraps, or the mailling list regarding this type of setup.

I meant what you described - browser authenticates with proxy over https,
and then proxy authenticates with server over https, giving separate https
"sessions" (probably should have said connections). However I don;t think
squid does this yet.

Don't know sslwraps. I do know of stunnel. It's just like ssh with the -L
or -R options. I'm guessing they'd set it up as follows.

- configure inetd for a connetion on port 443 to exec stunnel
- configure stunnel to connect to internal server

Browser connects to this box on port 443. inetd spawns stunnel which
connects to the internal server. stunnel then reads stdin (from
browser) and writes to other end of tunnel (internal server). There is no
squid/netscape proxy required. You could have squid and stunnel on the
same box and when squid gets a connection it forwards to inetd/stunnel on
localhost (I'd probably dispense with inetd in this case, running stunnel
in standalone mode). Stunnel will connect to the internal server,
encrypting the traffic. Note that this is http encapsulated by stunnel,
not https between squid and internal server.

Mud?

Colin

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Feb 22 2001 - 20:46:56 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:09 MST