Re: [squid-users] Re: Reverse Proxy SSL + Certificates

From: Henrik Nordstrom <[email protected]>
Date: Mon, 13 Dec 2004 18:02:52 +0100 (CET)

On Mon, 13 Dec 2004, David Delamarre wrote:

> you are right i tried reverse with ssl between client and reverse
> proxy ans it is working but if i need a certificate to authenticate to
> the backend servers is not working ....

I am starting to feel like a parrot now.

If you need a personal client certificate to authenticate to the backend
server you only have the alternative of somehow publishing the web servers
SSL port directly on the Internet. This because for the certificate
exchange to take place the client must talk to the SSL of your web server,
not an surrogate server such as Squid.

You can use client certificates to authenticatie to Squid, sortof, but
this won't get forwarded to your backend server and is of quite limited
use.

There is at least three means of getting an internal web server port
published directly on the Internet if this is what you desire and with all
security implications it may have. Neither involves Squid. Squid is a
proxy / surrogate server.

   - NAT
   - TCP plugs such as the redirect method in xinetd (drawback: completely
hides client IP, limited logging)
   - Making the web server listen on an Internet IP

Regards
Henrik
Received on Mon Dec 13 2004 - 10:02:56 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST