Re: [squid-users] Using Squid as a reverse-proxy to SSL origin?

From: Todd Lainhart <tlainhart_at_gmail.com>
Date: Thu, 16 Oct 2008 10:56:18 -0400

Thank you, Amos and Henrik. I'll be testing this in 2.7/Stable 4 - I
assume that's OK (no significant fixes in 3.0 in this area that I
should take advantage of)?

Could I do the same thing with SSL to the reverse proxy? That is, the
reverse proxy is the endpoint for the client, gets the creds, becomes
the endpoint for the server, decrypts and caches the origin response,
and then serves cached content encrypted back to the client? I would
guess this falls into man-in-the-middle style ugliness, is
out-of-bounds for SSL and so wouldn't be supported. But then again I
was wrong about my original use-case not being supported :-) .

  -- Todd

On Thu, Oct 16, 2008 at 6:15 AM, Henrik Nordstrom
<henrik_at_henriknordstrom.net> wrote:
> On ons, 2008-10-15 at 16:42 -0400, Todd Lainhart wrote:
>> I've looked in the archives, site, and Squid book, but I can't find
>> the answer to what I'm looking to do. I suspect that it's not
>> supported.
>
> It is.
>
>> My origin server accepts Basic auth over SSL (non-negotiable). I'd
>> like to stick a reverse proxy/surrogate in front of it for
>> caching/acceleration, and have it accept non-SSL connections w/ Basic
>> auth, directing those requests as https to the origin. The origin's
>> responses will be cached, to be used in subsequent GETs to the proxy.
>> Both machines are in a closed IP environment. Both use the same
>> authentication mechanism.
>
> The basic setup is a plain reverse proxy.
> http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-7fa129a6528d9a5c914f8dd5671668173e39e341
>
> As the backend runs https you need to adjust the cache_peer line a bit
> to enable ssl (port 443, and the ssl option).
>
> When authentication is used you also need to tell Squid to trust the web
> server with auth credentials
>
> http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-c59962b21bb8e2a437beb149bcce3190ee1c03fd
>
>> I see that Squid 3.0 has an "ssl-bump" option, but I don't think that
>> does what I described. If it does, that's cool - I can change the
>> requirement of the proxy to accept Basic/SSL.
>
> sslbump is a different thing. Not needed for what you describe.
>
>
> But you may need to use https:// to the reverse proxy as well. This is
> done by using https_port instead of http_port (and requires a suitable
> certificate).
>
> Regards
> Henrik
>
Received on Thu Oct 16 2008 - 14:56:30 MDT

This archive was generated by hypermail 2.2.0 : Sat Oct 18 2008 - 12:00:03 MDT