Re: [squid-users] SSL<->SSL<->unencrypted, (was: provide external access) from Henrik Nordstrom on 2003-03-20 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 20 Mar 2003 23:05:33 +0100

Squid-2.5 can provide SSL acceleration like

clients -- https(SSL) --> Squid -- HTTP --> Web server

Squid-3.0 will also provide https proxy capability on the backend,
allowing

clients --> Squid (decrypted) -- https(SSL) -> Web server

This functionality is also available as a patch to Squid-2.5 from
http://devel.squid-cache.org/

The use of https is also supported on peer proxy connections, allowing

clients --> Squid -- https(SSL) --> Another Squid --> Web server

And in both cases Squid can also optionally present a "client
certificate" to the SSL peer, specified in squid.conf.

Note: proxying of the original client certificate is not possible due to
the man-in-the-middle scenario of these configurations.

Regards
Henrik

mlister wrote:
>
> Its looking as if squid is only intended to use tunnel connections, ie. SSL
> and that I couldn't do this kind of accelleration/conversion with squid
> alone.......
>
> ----- Original Message -----
> From: "mlister" <mailme@triad.rr.com>
> To: <squid-users@squid-cache.org>
> Sent: Thursday, March 20, 2003 2:44 PM
> Subject: [squid-users] SSL<->SSL<->unencrypted, (was: provide external
> access)
>
> > This is great. I set up an accelerator box and its working. What I
> would
> > like to do next is talk SSL between two squid boxes (firewall will be in
> > between them).
> > The communication to the web server from SQUID2 should be
> > unencrypted.
> >
> > [ accellerator ] <--> [ FIREWALL ] <--> [ accellerator ]
> > <--> [ webserver ]
> > <-SSL-> <-SSL-> <-SSL::UNENCRPTED->
> > <-UNENCRYPTED->
> > SQUID1
> > SQUID2
> >
> > For now, I have two squid boxes running. The FIREWALL is currently not
> > part of the setup
> > for the sake of troubleshooting. The SQUID1 is accelerating SQUID2 which
> > in turn is accellerating the webserver. This is working as far as
> > unencrypted communication.
> > when I try https from the first squid box , I believe its trying to do ssl
> > with the webserver,
> > which of course breaks. I added the following line in the configuration:
> > https_port 443 cert=/etc/httpd/ssl.crt/server.crt
> > key=/etc/httpd/ssl.key/server.key
> > on SQUID1
> >
> > Is this configuration possible? Thanks for any insight from anyone.
Received on Thu Mar 20 2003 - 15:13:23 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:12 MST