Re: [squid-users] HTTPD reverse proxy

From: Matus UHLAR - fantomas <uhlar@dont-contact.us>
Date: Wed, 12 Oct 2005 14:14:21 +0200

> > There's no reason for squid to forward request as https, unless the
> > network
> > between squid and server is untrusted. But in such case, there's usually
> > no
> > need for using squid.

On 12.10 13:27, Joost de Heer wrote:
> I disagree. For one customer, we provide reverse proxy functionality
> (although it's not Squid). The customer is divided into smaller fractions,
> some of which don't trust the rest. So they want the internal traffic to
> go via https too.

What exactly you don't agree with? That "unless" or "usually"?

> Because the backend network is a private WAN, we do need the reverse proxy
> on the DMZ to publish the site.

You didn't describe the network structure and logic deeply enough.

However, what I am repeating here is, that the difference between this:

client ====> server
       HTTPS

and this:

client ====> proxy ====> server
       HTTPS HTTPS

network structure is, that second one has one more weak place - the proxy.
Although the second structure CAN work and possibly DOES work somewhere,
it MAY be just a result of wrong decision or implementation

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse
Received on Wed Oct 12 2005 - 06:14:24 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:04 MST