Re: [SQU] SSL Gatewaying

From: Henrik Nordstrom <[email protected]>
Date: Thu, 22 Feb 2001 08:05:29 +0100

John Castillo wrote:
>
> the SSL Gatewaying patch worked out. thanks for the autoheader and autoconf
> information. presently i have a working SSL Gateway for my Transparent
> Reverse Proxy configuration!
>
> CLIENT <--- over HTTPS ---> SQUIDPROXY <--- over http ---> INTERNALRESOURCE

Excellent!

> however, NOW i'm told that the connection between the SQUIDPROXY and
> INTERNALRESOUCE also needs to be done over https. i have already tested the
> current config and noticed that i get the expected error of Connection
> Failed (111) Connection Refused. i would assume that this is because
> SQUIDPROXY is trying to access the INTERNALRESOUCE over http, when the
> INTERNALRESOURCE will only work over https.

Well... http://squid.sourceforge.net/ssl/todo.html

> so the new question is:
> 1 - can i use a SSL wrapper (like stunnel or sslwrap) to create the secure
> connection i need from SQUIDPROXY to INTERNALRESOURCE?

Maybe.

> 2 - is this setup hokey or what?

Not yet. See above.

> 3 - i found that Iplanet Proxy (Netscape Proxy) can natively handle this
> sort of secure client to proxy, secure proxy to internal resource
> connection. i wonder if it is capable of doing it transparently for the
> client and i also wonder if its doing this "double encryption".

Well, a proxy is a client when connecting to servers.. the data will be
decrypted and then encrypted again with the key of the proxy.

> compiled
> with --disable-intenal-dns so that a /etc/hosts file can be used to resolve
> the internal ip of internal.mydomain.com.

The Squid-2.5 development versions uses /etc/hosts with the internal DNS
as well...

--
Henrik Nordstrom
Squid hacker
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Feb 22 2001 - 00:18:18 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:08 MST