RE: [squid-users] SOAP client with no SSL client-certificate features

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 21 Apr 2010 23:16:05 +0000

On Wed, 21 Apr 2010 10:01:27 +0200, "D.Veenker" wrote:
> That sounds promising. And also thanks for the tips concerning the
correct
> cache-headers
>
> ** Let's assume the SOAP-client can only use unencrypted http, but the
> webservice does only accept https requests. In which Squid configuration
> setting do I have to set the translation from http to https? Or, how
does
> Squid know which URL's or domains it has to transfer to https with
client
> certificates?

This is the reason absolute URLs are passed in the request line. They
start with a protocol scheme ftp://, http://, https:// and the proxy uses
that to tell which server protocol to use to fetch the data.

Proxy requests are formatted like so:

  GET https://example.com/foo HTTP/1.1
  Host: example.com
  ...

Different to Normal web server requests which start with:

  GET /foo HTTP/1.1
  Host: example.com
  ...

>
> ** In which configuration setting do I have to mention the location of
the
> client certificates?

The sslproxy_* options.
 http://www.squid-cache.org/Doc/config/

Amos

>
> -----Oorspronkelijk bericht-----
> Van: Amos Jeffries
> Verzonden: woensdag 21 april 2010 1:07
>
> On Tue, 20 Apr 2010 23:25:59 +0200, "D.Veenker" <dv_at_veenker.tk> wrote:
>> I am running into the following problem and I think Squid might be just

>> the solution I am looking for. But I'm not sure about it.
>>
>> We are developing an application consuming a SOAP-webservice. The
>> platform we are developing on (4D) does not support SSL with client
>> certificates. It does support the regular HTTPS features though.
>>
>> So I was wondering if Squid could help me out, and proxy a regular
>> plain-http (or https) request from this newly made application to the
>> webservice implementing the SSL connection with client certificates.
>>
>> Let's say the url of the webservice is:
>> https://webservice.domain.com/methods
>> From this developed 4D-application I'd like to connect to
>> http://webservice.domain.com/methods and let Squid do all the SSL
>> features using client certificate authorization.
>>
>> Situation:
>> Application not capable of SSL with client certificates -->> plain
>> HTTP-request -->> Squid (+ client certificate provided by webservice
>> company) -->> HTTPS request with client certificate -->> SSL Webservice
>>
>> And of course vice-versa, but I assume you already guessed that. The
>> certificates are formatted as .der documents, but I guess I can
overcome
>
>> the problem when squid does only support a particular format by
>> converting the certificate.
>>
>> ** Is this type of proxying possible using Squid?
>
> Yes.
>
>> ** How do I configure such a situation in Squid?
>
> Simply make sure the HTTP requests sent through Squid contain full
> absolute URLs starting with https://.
>
> There are some other details such as the difference between Proxy-*
> headers and their regular client->server "normal" versions.
>
>
>> ** What elements need to be compiled with Squid to get these features
>> implemented?
>
> Nothing special. The defaults are fine.
>
>>
>> To be honest I'm an total rookie to Squid so I might need some specific

>> help, on the other hand not to lazy to get through some docs when you
me
>
>> point me in the right direction. And last but not least, I have a
strong
>
>> wish to run Squid on a debian server.
>
> http://wiki.squid-cache.org/ has almost everything you need for playing
> with Squid.
>
>
> PS: Just a mention. Check your SOAP underlayer. A lot of SOAP systems
uses
> POST requests which are not cacheable when they should be using GET
> requests which are. Tools that use REST HTTP seems to be better IME when
> going through any proxies.
>
> Amos
Received on Wed Apr 21 2010 - 23:16:11 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 29 2010 - 12:00:14 MDT