RE: [squid-users] HTTPS &Reverse proxy

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Wed, 18 Apr 2001 16:39:08 +0200

> So, between squid and webserver it is "unsecure", but it is
> in your private
> network, so it is ok. But the client requests pages from
> Squid using SSL,
> so it is secure going over the internet.

Never EVER trust a network that blindly, as private as it may be.
IF you want to do something like that, put ANOTHER network behind squid
and put your hosts there. Also, enable firewalling on the
squid host host *and use it* to strengthen it as much as possible.
Of course you have to disable everything but Squid on that host, MAYBE
enable a VERY RECENT openssh or ssh2 to administer it.
Then MAYBE you have something similar to a faded image of an almost
semi-trustable network. Of course the backend net must not be
routed in any way. Having it on switches will help performance and
add a tiny amount of trustability (VERY tiny, mind you).

> What would be nice about this scenario, if I understand
> correctly, would be
> a situation if you have three webservers in your DMZ and one
> squid machine
> configured as an HTTPS endpoint. Instead of configuring each
> webserver with
> SSL, you just have to configure Squid. Squid handles the
> security between
> itself and the client (which travels over the internet) and
> squid talks to
> the webserver (which travels over your private network). You
> get three SSL
> webservers with the configuration of one proxy.

Correct.
In marketese terms, squid would act as a layer-7 switch with SSL
acceleration and content acceleration.
Not that marketoids have any voice in the matter, of course :0)
It could be worth investigating support for SSL acceleration cards
(assuming we don't already support those, I dunno).
Does anybody here have one?

-- 
	/kinkie 
Received on Wed Apr 18 2001 - 08:34:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:22 MST