Re: [squid-users] SSL<->SSL<->unencrypted, (was: provide external access)

Henrik I'm making progress do to your help.

I've setup two squid servers for use as follows:

client->SQUID1->SQUID2->webserver

SQUID1 has the following:
https_port 443 cert=/etc/httpd/conf/ssl.crt/server.crt
key=/etc/httpd/conf/ssl.key/server.key

SQUID2 has no SSL configuration.

From the client an SSL connection is established and maintained during
navigation as expected.

How can I determine that communication between SQUID1 and SQUID2 is SSL ??

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "mlister" <mailme@triad.rr.com>
Cc: <squid-users@squid-cache.org>
Sent: Friday, March 21, 2003 10:25 AM
Subject: Re: [squid-users] SSL<->SSL<->unencrypted, (was: provide external
access)

> fre 2003-03-21 klockan 15.39 skrev mlister:
> > Henrik I really appreciate the information you have provided me.
> > I'd like to clarify your last post so that I can then make my next
> > descision:
> >
> > > Squid-2.5 can provide SSL acceleration like
> > >
> > > clients -- https(SSL) --> Squid -- HTTP --> Web server
> >
> > here the clients would the clients use SSL? and above does
> > "HTTP" signify running an httpd daemon on the squid box
> > or is it just showing the HTTP proxy tunnel?
>
> What is written ontop of the arrows signifies the protocol used for the
> connection.
>
> In Squid-2.5 acceleration with SSL clients use https(SSL) when speaking
> to Squid and Squid uses plain HTTP when talking to the web server.
>
> > > The use of https is also supported on peer proxy connections, allowing
> > >
> > > clients --> Squid -- https(SSL) --> Another Squid --> Web server
> >
> > again, would the clients be using SSL?
>
> You can actually select any combination.
>
> > > Note: proxying of the original client certificate is not possible due
to
> > > the man-in-the-middle scenario of these configurations.
> >
> > I'm thinking this is ok sense I only need the certificate to carry
through
> > the firewall afterwhich the SSL communication would need to end
> > internally.
>
> Who needs to know the client certificate? The Squid proxy or the real
> web server?
>
> > Thanks again. I understand that if I have to I can just resetup my
internal
> > server config to run SSL where needed and really simply this situation.
I
> > initially want to see if the option to avoid this exists(will exist).
>
> Everything you need exists.
>
> --
> Henrik Nordstrom <hno@squid-cache.org>
> MARA Systems AB, Sweden
>
Received on Mon Mar 24 2003 - 14:33:40 MST