Re: [squid-users] HTTPS & Reverse proxy

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 16 Apr 2001 22:45:41 +0200

Adam Lang wrote:
>
> Oh. I was understanding it as:
>
> client -- (https) --> Squid --- (https) ---> origin server
>
> That Squid would be in between a client and a website that was using SSL.

Having a reverse-proxy in the middle not acting as an SSL endpoint is of
very limited use as the proxy cannot "see" the traffic. The proxy will
then technically speaking not be a proxy but a transparent tunnel
forwarding the traffic exactly as-is.

Having a reverse-proxy in the middle acting as a proxy (not tunnel as
above) with SSL on both sides is often a waste of CPU resources on both
the proxy and the origin server. This because the proxy will both
decrypt and then encrypt the information between the two different SSL
connections. Also SSL credentials from any client certificate cannot be
forwarded to the origin server..

In most accelerator setups the network behind the accelerator is a quite
trusted network, and encryption is not really needed there.

Situation is a lot different if the "accelerator" is used for making a
"point-of-precense" at a remote location, where the backend is in turn
contacted over Internet or other untrusted networks. In such case,
forwarding the requests over a new SSL connection might be wanted. https
forwarding has not yet been implemented in Squid. It shouldn't be a
terribly hard thing to add now, but someone has to do it if it is going
to appear..

--
Henrik Nordstrom
Squid Hacker
Received on Mon Apr 16 2001 - 14:50:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:20 MST