Re: [squid-users] Squid conf in HTTP and HTTPS mode from Amos Jeffries on 2008-07-17 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 18 Jul 2008 14:10:05 +1200

Karandeep Malik wrote:
> Hi,
>
> I wish to configure squid in such a way that The client should be able
> to authenticate proxy by Basic/Digest/NTLM. It should accept HTTP and
> HTTPS requests on different ports. I am confused about how to enable
> both simultaneously. I saw some examples using https_port but I got
> none working so...My Squid version is 2.6 stable 10

Those examples are for Reverse-Proxies. Which occasionally need to
handle termination of HTTPS requests on behalf of accelerated web servers.

>
> From squid doc I got to understand that their are two ways of Client
> -> Proxy->Server connection
>
>
> 1) Client connects with Proxy at https port. Proxy tunnels the request
> to sever without modifying the messages, through the connect method.
> And client server exchange certificates.

This is default standard proxy. Nothing special needs to be done to
squid. Client browser must be configured to use proxy for HTTPS traffic.

> 2) Client connects to Proxy at https port. Proxy and client have
> exchnage of certifcates. And an ssl connection is established between
> the two. Now, Proxy modifies the request and establishes the
> connection between the Proxy and Server by exchange of certificates
> between the two.

This is the reverse-proxy method.

>
> I would request any working - squid.conf - config lines, if possible.
>

To mix the two modes, just setup multiple port entries and keep two sets
of access controls in squid.conf.
Lete get thir straing that you do actually want Squid to act as a
standard proxy for internal clients getting out. And as a reverse-proxy
for remote clients visiting your local website?

The reverse-proxy access controls are usually allowing global access to
the site, so they must go at the top of all access controls.

The standard proxy config is usually much more restrictive to keep
control of internal users. So those access control must go at the end
after the last reverse-proxy ones.

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7

Received on Fri Jul 18 2008 - 02:09:57 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 18 2008 - 12:00:04 MDT