[squid-users] SSL reverse proxy/*caching* of SSL encrypted website

From: Reuben Farrelly <reuben-squid-users@dont-contact.us>
Date: Tue, 21 Dec 2004 22:25:19 +1300

Hi,

One of our customers at work is requesting changes to speed up access to
their intranet website, which is hosted in another country and has some
fancy SAP application running behind it. They already have a Squid proxy
running 2.5STABLE1 (will upgrade to STABLE7) which is currently a forward
proxy to clients connecting into their network. Clients to the corporate
intranet website

Their request involves changes to create a setup like this:

Origin website (Serves https)
               |
               |
Squid proxy (Serves https to clients and requests https to origin servers)
               |
               |
Client browser (requests https)

The contraints are that as the clients are unmanaged we cannot alter the
config of them easily. However we can get the SSL certificates that are
used to sign the site, and have control of DNS (thinking maybe we could
forge the identity of the origin box, just for this local
network). Someone not so clever in another country who hosts the web site
has also decided that the entire site, graphics, html and everything is all
https encrypted, bit of a silly idea but I have no control over
it. Obviously the SAP backend contents will not be cacheable but
hopefully the rest of the site should be.

Choices are to use the apache proxy module (somehow) or better still,
squid. Given they already have one installed, untuned and working, it
would be good to be able to reuse it and not bring another box into the
network with all the associated change control and reconfig etc.

The big question is, will squid be able to retrieve *and* cache any of the
content even if it is setup to run SSL to the clients, and SSL to the
origin web server? ie is the content at any point completely decrypted and
cacheable? There is no point in me suggesting this setup if squid cannot
do this sort of caching...the clients might as well have their connections
as per normal through the forward proxy using the CONNECT method to talk to
the origin server.

What patches are recommended to 2.5STABLE7 for this - I'm a bit wary of
squid-3 even though it appears to have better SSL support and config
directives seem to fit more with what I'm looking to do..

Documentation on this particular combination of circumstances seems to be a
bit sparse, unfortunately :(

Thanks,
Reuben
Received on Tue Dec 21 2004 - 02:25:17 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST