Re: [SQU] SSL and transparent (or host acceleration) mode?

From: Henrik Nordstrom <[email protected]>
Date: Thu, 07 Sep 2000 21:37:12 +0200

C. Regis Wilson wrote:

> I want to proxy requests for an internal web server via SSL only (our normal,
> non-SSL pages are hosted externally). So, I want something like this (running
> solaris on the Squid server, version 2.3STABLE2, by the way):

Squid is not a SSL proxy.

> external browser <-via SSL-> squid proxy <-via SSL-> internal server

I don't think you actually wants this. It would bring a heavy
encryption/decryption burden on Squid, and make it impossible for the
browsers to truly verify the identity of the server (only the Squid
server they are talking to), and also makes it impossible to use client
certificates.

> By the by, it's running safely with the TIS plug-to, so I know the
> port connections are correct and everything runs smoothly. However,
> the internal server is running Microblows IIS, the most horibble,
> despicable, least secure and vile of all software running on this
> planet (followed closely by the operating system Winclose NT itself).
> I do NOT want people talking to the Microsucks IIS server directly;
> even if it's via sanitised TCP.
>
> Any ideas or suggestions?

Ok, so you do actually want to HTTP proxy SSL requests to be able to
filter the requests. This is possible by using a modified Squid running
as a SSL enabled accelerator

external browser <-via SSL-> SSL enabled Squid cache <-via HTTP-> origin
server

In this setup the Squid server is the SSL endpoint the browsers connect
to. The proxy then unencrypts and verifies the requests before being
forwarded to the origin server, and also caches the traffic.

See http://squid.sourceforge.net/

--
Henrik Nordstrom
Squid hacker
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Sep 07 2000 - 13:41:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:14 MST