Re: [squid-users] Different SSL keys for different accelerated hosts

From: Brian Mearns <bmearns_at_ieee.org>
Date: Sun, 22 Nov 2009 21:52:09 -0500

On Sun, Nov 22, 2009 at 8:57 PM, Henrik Nordstrom
<henrik_at_henriknordstrom.net> wrote:
> sön 2009-11-22 klockan 14:44 -0500 skrev Brian Mearns:
>> I'm using squid as a reverse proxy for both secure and non-secure
>> connections to an origin server with several name-based vhosts. Is
>> there anyway to have squid present a different certificate (to
>> clients) depending on which host the client is trying to reach,
>> without having it listen on multiple ports? For instance, I can do
>> this on my origin server using the SNI extension to TLS. Does squid
>> offer any such capabilities, or is there another good work around for
>> this?
>
>
> Squid do not yet support SNI.
>
> Proposed solution: Add SNI support to Squid.
>
> Regards
> Henrik
>
>

Fair enough, thank you.

For others' reference, my planned work around is to just use another
proxy front end that supports SNI (probably just a bare bones
installation of Apache), and just use it as a reverse proxy for squid.
With SNI support, my front end can use name based virtual hosting, and
then reverse-proxy each to a different port, so I can use separate
https_port directives in squid for each host (and therefore use a
different cert for each). Hopefully this doesn't add too much delay to
the line, so if anyone has any suggestions, they would certainly be
welcome.

-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net
Received on Mon Nov 23 2009 - 02:52:36 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 23 2009 - 12:00:04 MST