Re: [squid-users] SSL reverse proxy/*caching* of SSL encrypted website from Henrik Nordstrom on 2004-12-21 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 22 Dec 2004 01:57:50 +0100 (CET)

On Tue, 21 Dec 2004, Reuben Farrelly wrote:

> Their request involves changes to create a setup like this:
>
> Origin website (Serves https)
> |
> |
> Squid proxy (Serves https to clients and requests https to origin servers)
> |
> |
> Client browser (requests https)

This requires either Squid-3, or Squid-2.5 + SSL update patch and some
tweaking.

With Squid-3 it is a fairly straight forward setup

https_port to make Squid listen for client requests
cache_peer to make Squid forward to the web server

What won't be possible with a setup like this is the use of client side
certificates for authentication to the application server, but pretty much
anything else imagineable is possible.

> The contraints are that as the clients are unmanaged we cannot alter the
> config of them easily. However we can get the SSL certificates that are used
> to sign the site, and have control of DNS (thinking maybe we could forge the
> identity of the origin box, just for this local network).

Good plan.

> What patches are recommended to 2.5STABLE7 for this - I'm a bit wary of
> squid-3 even though it appears to have better SSL support and config
> directives seem to fit more with what I'm looking to do..
>
> Documentation on this particular combination of circumstances seems to be a
> bit sparse, unfortunately :(

Squid-2.5 is not intended to be used like this. The standard release lacks
the capability of initiating ssl connections, and even with the SSL patch
it lacks a bit of flexibility in how to configure reverse proxies to make
the setup reasonable.

In Squid-3 there is not much to say about it as it is just a standard
reverse proxy configuration with https on both sides and there should not
be any major problems figuring out the required configuration from the
squid.conf documentation and release notes.

As you already figured out you need a good server certificate (+ key) to
give to Squid to accept the https requests.

Regards
Henrik
Received on Tue Dec 21 2004 - 17:57:54 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST