Re: [squid-users] SSL<->SSL<->unencrypted, (was: provide external access)

From: Henrik Nordstrom <[email protected]>
Date: 21 Mar 2003 16:25:53 +0100

fre 2003-03-21 klockan 15.39 skrev mlister:
> Henrik I really appreciate the information you have provided me.
> I'd like to clarify your last post so that I can then make my next
> descision:
>
> > Squid-2.5 can provide SSL acceleration like
> >
> > clients -- https(SSL) --> Squid -- HTTP --> Web server
>
> here the clients would the clients use SSL? and above does
> "HTTP" signify running an httpd daemon on the squid box
> or is it just showing the HTTP proxy tunnel?

What is written ontop of the arrows signifies the protocol used for the
connection.

In Squid-2.5 acceleration with SSL clients use https(SSL) when speaking
to Squid and Squid uses plain HTTP when talking to the web server.

> > The use of https is also supported on peer proxy connections, allowing
> >
> > clients --> Squid -- https(SSL) --> Another Squid --> Web server
>
> again, would the clients be using SSL?

You can actually select any combination.

> > Note: proxying of the original client certificate is not possible due to
> > the man-in-the-middle scenario of these configurations.
>
> I'm thinking this is ok sense I only need the certificate to carry through
> the firewall afterwhich the SSL communication would need to end
> internally.

Who needs to know the client certificate? The Squid proxy or the real
web server?

> Thanks again. I understand that if I have to I can just resetup my internal
> server config to run SSL where needed and really simply this situation. I
> initially want to see if the option to avoid this exists(will exist).

Everything you need exists.

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden
Received on Fri Mar 21 2003 - 08:27:20 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:18 MST