Re: [squid-users] Passthrough SSL connection to localhost

From: Henrik Nordstrom <[email protected]>
Date: Tue, 17 Aug 2004 20:46:33 +0200 (CEST)

On Mon, 16 Aug 2004, Wah wrote:

> In fact, I want to know how does Squid get work like it is said in below
> url.
> http://www.squid-cache.org/Doc/FAQ/FAQ-19.html
> "By default, Squid connects directly to origin servers for SSL
> requests..."

This applies to proxies, not reverse proxies.

> Secondly, I don't understand totally the following which resides in
> squid.conf, it makes me that Squid would handle ssl request
> automatically.
>
> http_port 80
> http_access deny CONNECT !SSL_ports

This applies to proxies, not reverse proxies.

> I'm confused the following description as well.
> http://www.mail-archive.com/squid-users@ircache.net/msg01625.html
> "... No. Squid acts as a tunnel only. It does not support SSL to
> itself, but SSL connections work _via_ squid because it understands the
> CONNECT method (allowing clients to establish a tunnel for an SSL
> session)....."

This message is very very old and not relevant to Squid-2.5 and late as
SSL server support was added in Squid-2.5 for use in reverse proxies.

> At last, it seems that ssl request would be passed to apache(localhost)
> by Squid.
> http://www.squid-cache.org/Doc/FAQ/FAQ-11.html
> "Normally, when you type an https URL into your browser, one of two
> things happens.
> 1. The browser opens an SSL connection directly to the origin server.
> 2. The browser tunnels the request through Squid with the CONNECT
> request method."

This applies to proxies, not reverse proxies.

In reverse proxies the proxy is the origin server as far as the client is
concerned.

When it comes to SSL and reverse proxying you have three options

a) Make the origin server listen directly on the external IP, or otherwise
have the port directly forwarded to the web server (NAT, TCP forwarding /
load balancing or whatever), allowing the client SSL to reach your web
server.

b) Set up Squid as an https frontend, taking care of the SSL layer and
then forwarding the request as http to your web server. This is the normal
setup with a reverse proxy. There is very little benefit of having the
overhead of SSL between the proxy and the web server.

c) Set up Squid as an https frontend taking care of the SSL layer to the
client, and also opening a new SSL connection to your web server. This
mode requires Squid-3.0 or if you want to go the complex path Squid-2.5 +
ssl update patch + a redirector to rewrite the requested URLs into https
again while Squid forwards the requests.

Regards
Henrik
Received on Tue Aug 17 2004 - 12:46:36 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT