Re: [squid-users] Proxy and cache of SSL with client auth?

I had thought of this as a forward-proxy, because the clients and the
proxy server are all on the same network, and the proxy is providing
caching for the clients. The purpose of this is to reduce bandwidth -
let me provide a more thorough concrete description of the application.

We distribute large files to facilitate our application. These are
media files, mostly, and therefore static. When we install several
clients in the same customer location, each one would normally fetch
these files, thereby multiplying the amount of traffic on the customer's
internet connection by the number of client boxes installed. We want to
avoid this, and so we are investigating methods for having one box cache
the content, with the other clients fetching it from the local cache.
One of the methods we are investigating is squid, which appeared to
provide what we needed with very little change to our existing clients
or servers. I believe this is the poster child for forward-proxy /
cache configurations, except for the SSL wrinkle....

Thanks in advance for any help ;-)

Justin

Amos Jeffries wrote:
>> This may sound insane, but here goes. I've got a file distribution
>> system that relies on client certificate authentication through SSL
>> (https) to authenticate clients prior to delivery of files. Typical
>> apache with ssl and client cert setup. I have reached a situation,
>> however, where it would be convenient to create a tiered system of
>> caches of said files. My thought was to use squid to do this as follows:
>>
>> Server stays the same - requires client cert to return a file.
>>
>> Squid proxy is set up on a box with a valid client cert, setting up
>> sslproxy_* to point to valid client certs. Squid is also configured
>> with https to require client certs for connection to Squid (this last
>> part is less important - the clients in this particular setup are
>> actually on a private network that is not considered at risk). When the
>> client makes a request for a file, squid makes the request using its
>> authorized cert, and then serves the file down-stream.
>>
>> From my initial reading of the squid configs and documentation I could
>> find, it seemed like this would be possible. I have tried it, and it
>> doesn't seem to be working. I get the (apparently common) SSL 'CONNECT'
>> error:
>>
>>> clientNegotiateSSL: Error negotiating SSL connection on FD 11:
>>> error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request
>>> (1/-1)
>> Is what I'm trying to do even possible with Squid? I'm using version
>> 2.6.STABLE6 on Centos 5.2. I'd be happy to send my squid configs if
>> that'd help. Any help would be apprecaited ;-)
>>
>> Justin Binns
>>
>
> Are you using squid as a regular forward-proxy? or as a reverse-proxy/CDN
> for this system?
>
> Amos
>
Received on Wed May 20 2009 - 16:35:45 MDT