Re: [SQU] SSL Gatewaying

From: John Castillo <[email protected]>
Date: Wed, 21 Feb 2001 19:11:29 -0800

the SSL Gatewaying patch worked out. thanks for the autoheader and autoconf
information. presently i have a working SSL Gateway for my Transparent
Reverse Proxy configuration!

CLIENT <--- over HTTPS ---> SQUIDPROXY <--- over http ---> INTERNALRESOURCE

however, NOW i'm told that the connection between the SQUIDPROXY and
INTERNALRESOUCE also needs to be done over https. i have already tested the
current config and noticed that i get the expected error of Connection
Failed (111) Connection Refused. i would assume that this is because
SQUIDPROXY is trying to access the INTERNALRESOUCE over http, when the
INTERNALRESOURCE will only work over https.

so the new question is:
1 - can i use a SSL wrapper (like stunnel or sslwrap) to create the secure
connection i need from SQUIDPROXY to INTERNALRESOURCE?
2 - is this setup hokey or what?
3 - i found that Iplanet Proxy (Netscape Proxy) can natively handle this
sort of secure client to proxy, secure proxy to internal resource
connection. i wonder if it is capable of doing it transparently for the
client and i also wonder if its doing this "double encryption".

lastly, would anyone mind looking at my squid.conf and current
configuration. just let me know if it looks pretty straight forward. i
omitted the acl and http_access lines.

goal: provide a secure connection from client to internal resource using a
reverse proxy. a transparent type connection is desired.

current setup:
client - has no knowledge of any proxy server. client connects to
internal.proxy.mydomain.com

proxy - running SQUID 2.5/Devel + SSL Gatewaying patch. listens on
https_port 443 for incoming connections. compiled
with --disable-intenal-dns so that a /etc/hosts file can be used to resolve
the internal ip of internal.mydomain.com.

squid.conf looks sorta like this..
http_port 80
https_port 443
ssl_certificate /etc/squid/ssl.crt/server.crt
ssl_key /etc/squid/ssl.key/server.key
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
redirect_rewrites_host_header off
hosts_file /etc/hosts

INTERNALRESOUCE - is https enabled

john.

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "John Castillo" <john@checkout.com>
Cc: <squid-users@ircache.net>
Sent: Tuesday, February 20, 2001 3:09 PM
Subject: Re: [SQU] SSL Gatewaying

> John Castillo wrote:
>
> > so... followed the link at http://squid.sourceforge.net but the link for
> > SSL gatewaying is stale and the new website has little information. my
> > question is this.
>
> The new website is mostly a placeholder for future things to do. The
> only real documentation is squid.conf.
>
> > if i were to figure out how to setup SSL gatewaying with squid,
> > 1 - would i then be able to setup a transparent proxy that would
> > CLIENT <---over https---> SQUIDPROXY <---over http---> INTERNALRESOUCE
?
>
> Yes.
>
> > 2 - if 1 is true, then how do i retreive the SSL patch ? (i'm very
> > unfamiliar with CVS)
> > i am currently using squid-2.3.STABLE4-1
>
> Download it from SourceForge.
>
> The patch is only available as a patch for Squid-HEAD (2.5-alpha
> development versions). Squid-HEAD is downloadable from
> http://www.squid-cache.org/Versions/v2/2.5/
>
> > 3 - provided that communication between the client and the squidproxy
> > would preferrably be secure (and in my case encrypting the traffic would
> > be the only financially viable solution), would (1) be a good solution?
> > communication between squidproxy and internal resource is assumed to be
> > private and secure.
>
> As described above.
>
> /Henrik
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Feb 21 2001 - 20:12:17 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:07 MST