Re: [squid-users] Fwd: Reverse Proxy for HTTPS

From: fulan Peng <[email protected]>
Date: Tue, 26 Sep 2006 22:43:30 -0400

It does not make sense you encrypt the web pages twice. Why cannot
cache a regular page at http port then send out with SSL? I seems to
me it won't work with double encryption.You can try it.
If you use Windows, 2.6S3 works. Any revision will work on Unix.

The following script is to make certificate for Squid on Windows,
followed by an example of squid.conf(SSL enabled). I have binary for
Windows XP. I compiled it with Cygwin. If you want to install in Unix,
it is very easy. Just ./configure
--with-openssl=.../openssl/include;make;make install; cd ..
squid/var;make cache
cd .. squid/sbin; squid -z; squid. Or do a squid -k parse to test the
configuration file before you run.

c:\openssl\bin\openssl.exe req -new -x509 -keyout
c:\squid\etc\demoCA\private\cakey.pem -out
c:\squid\etc\demoCA\cacert.pem -days 365 -subj
/C=JP/ST=H2iDsZPErqitxps9V86g/L=X8KGZ3iBX5G/OU=wPAV4SQ9ZC8OaSb4S/O=s4R0TH/CN=eO1fsP9t/emailAddress=4mkDvu@LhNwRhEyzNZoneAK.com
-passout pass:z4xZcLW2c4Nty
c:\openssl\bin\openssl.exe req -new -keyout key.pem -out req.pem -days
365 -subj /C=JP/ST=H2iDsZPErqitxps9V86g/L=X8KGZ3iBX5G/OU=wPAV4SQ9ZC8OaSb4S/O=s4R0TH/CN=eO1fsP9t/emailAddress=4mkDvu@LhNwRhEyzNZoneAK.com
-passout pass:z4xZcLW2c4Nty
copy key.pem key.pem.old
c:\openssl\bin\openssl.exe rsa -in key.pem.old -out key.pem -passin
pass:z4xZcLW2c4Nty
c:\openssl\bin\openssl.exe ca -in c:\squid\etc\req.pem -out
c:\squid\etc\cert.pem -passin pass:z4xZcLW2c4Nty -batch
c:\squid\sbin\squid.exe

squid.conf
http_port 127.0.0.1:80 defaultsite=ddint.org
https_port 443 cert=c:\squid\etc\cert.pem key=c:\squid\etc\key.pem
defaultsite=breakevilaxis.org
cache_peer breakevilaxis.org parent 8800 0 originserver name=futurechinaforum
cache_peer ddint.org parent 80 0 originserver name=ddint
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log c:/squid/var/logs/access.log squid
debug_options ALL,9
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl breakevilaxis.org dstdomain breakevilaxis.org
acl ddint.org dstdomain ddint.org
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow ddint.org
http_access allow breakevilaxis.org
http_access allow localhost
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_reply_access allow all
icp_access allow all
cache_peer_access futurechinaforum allow breakevilaxis.org
cache_peer_access ddint allow ddint.org
visible_hostname ddint.org
coredump_dir c:/squid/var/cache

On 9/26/06, Arief Kurniawan <ariefk.milis@gmail.com> wrote:
> I'd like to accelerate our backend HTTPS Server, the SSL Cert. is held
> by the backend server (IP 192.168.1.1)
> In squid.conf :
>
> http_port 443 vhost
> cache_peer 192.168.1.1 parent 443 0 originserver name=myapps
> http_access allow all
>
> The question is :
> - Is the squid.conf above will be able to redirect any request from
> client to https://192.168.1.1 ?
> - Or should the squid configured with https_port and obtain another SSL cert ?
> - Which is better for this purpose, Squid 3 or Squid 2.6 ? any pointer ?
>
> Regards,
>
> Arief K
>
Received on Tue Sep 26 2006 - 20:43:35 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:04 MDT