RE: [squid-users] SSL and Reverse Proxy

Because the web page is coded to require and redirect to HTTPS, I can
not terminate at Squid without the development team recoding the page.
That will be done at some point but I would like to test it first with
allowing SSL to the back end server. I see from the FAQ page that I
have these options:

1. The browser opens an SSL connection directly to the origin server.
I do not want this as I want to use the cache for images.

2. The browser tunnels the request through Squid with the CONNECT
request method.
Will caching work with this? How is this setup?

Thanks

-----Original Message-----
From: Chris Perreault [mailto:Chris.Perreault@Wiremold.com]
Sent: Friday, August 20, 2004 9:56 AM
To: Brad Taylor; squid-users@squid-cache.org
Subject: RE: [squid-users] SSL and Reverse Proxy

You could use a private cert, or a commercial one.
Squid needs to be configured with the ssl option. For a simple test you
can
type:

openssl req -new -x509 -nodes -keyout squid_key.pem -out squid_cert.pem

to generate a self signed cert. Do this in your squid's etc directory
and
then something like:

https_port 443 vhost cert=/path_to_squid/squid/etc/squid_cert.pem
key=/path_to_squid/squid/etc/squid_key.pem vhost

We decided not to put SSL on the actual webserver. Traffic between our
site
and the end user is encrypted via the SSL so we saw no need to put an
extra
burden on the webserver too.

The above is on squid-3, btw.

Chris

-----Original Message-----
From: Brad Taylor [mailto:btaylor@Autotask.com]
Sent: Thursday, August 19, 2004 6:20 PM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] SSL and Reverse Proxy

OK. What cert would I use for the SSL form Squid to the web server? The
same cert? How would this be setup? I can't find any documentation
about
how to setup most of the SSL (HTTPS) configuration. I do have The
Definitive Guide, but only a small section about SSL (HTTPS) on page
304.

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Thursday, August 19, 2004 6:12 PM
To: Brad Taylor
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] SSL and Reverse Proxy

On Thu, 19 Aug 2004, Brad Taylor wrote:

> I'm trying to setup Squid as a reverse proxy with SSL. I remember
> seeing a post here that showed the 3 options for SSL reverse proxy but
I
> can't find it now. I would like to test without terminating the SSL
at
> the Squid box.

You can't. To proxy the SSL needs to be terminated.

What you can do if you do not want to terminate the SSL and have it
running
all the way back to the web server to tunnel the SSL using a simple TCP
plug
or NAT/Port-forwarded.

> Can I have the cert on both the Squid and IIS web server but when I
hit
> the Squid box with https://IP_address_of_squid I get sent to
> https://IP_address_of_IIS_web_server therefore it is not getting
> anything from cache.

This is possible with Squid-3 (or Squid-2.5 with SSL update and a bit of

tinkering).

But please note that in such configuration the SSL is terminated at the
proxy and then a new SSL is opened between the proxy and the web server.

In most configurations this second SSL is not really needed but you have

the choice.

Squid-2.5 (without SSL update) can only terminate SSL connections,
acting as
an SSL server. It can not initiate SSL connections.

Regards
Henrik
Received on Fri Aug 20 2004 - 12:14:11 MDT