Re: [squid-users] Proxy and cache of SSL with client auth?

From: Matus UHLAR - fantomas <uhlar_at_fantomas.sk>
Date: Thu, 21 May 2009 10:46:27 +0200

>>> This may sound insane, but here goes. I've got a file distribution
>>> system that relies on client certificate authentication through SSL
>>> (https) to authenticate clients prior to delivery of files. Typical
>>> apache with ssl and client cert setup. I have reached a situation,
>>> however, where it would be convenient to create a tiered system of
>>> caches of said files. My thought was to use squid to do this as follows:

On 20.05.09 11:35, Justin Binns wrote:
> I had thought of this as a forward-proxy, because the clients and the
> proxy server are all on the same network, and the proxy is providing
> caching for the clients. The purpose of this is to reduce bandwidth -
> let me provide a more thorough concrete description of the application.

So, your users are authenticating with SSL onto webserver that provides some
files. You want to push proxy in the middle, that would authenticate using
their certificateds instead of users. That means that the proxy must know
their private SSL keys. In such case the SSL authentication is useless, or
better: makes it impossible. Ordinary authentication is needed.

So, this one auth scheme must be used:

proxy does have the file but provides it to the client only if the client
passes correct auth info, which is sent to server by the proxy, and server
replies either with 4xx code, whcih means proxy won't pass cached object to
the client, or server replies with 302 "not modified" code, so the proxy
passes the object to client (alternatively, sevrer replies 200 OK, sends the
object to the proxy...)

Now the question is if HTTP allows that (hopefully yes), and if your server
supports the 302 reply code.

-- 
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol. 
Received on Thu May 21 2009 - 08:46:33 MDT

This archive was generated by hypermail 2.2.0 : Thu May 21 2009 - 12:00:01 MDT