Re: [squid-users] Squid as SSL ReverseProxy - SSL Gateway or however you wanna call it

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 26 Mar 2003 12:42:46 +0100

Squid-2.5 does not support this out of the box.

With the SSL update patch for Squid-2.5 it gets somewhat possible by
defining the internal server as a ssl enabled cache_peer (works with
most web servers) or using a redirector to rewrite the accelerated URLs
into https://... (works with all web servers)

Squid-3 will support such configuration directly, and is significantly
easier to configure than Squid-2.5 + ssl_update.

In both cases the https:// request is proxied by Squid, meaning that
there is one SSL tunnel between the client and Squid, and another SSL
tunnel between Squid and the web server, with Squid decrypting and then
re-encrypting the traffic in the middle.

If what you want is a SSL tunnel between the client and the internal
server then you need to use a tcp plug or port forwarding.

Regards
Henrik

ons 2003-03-26 klockan 09.58 skrev sebastian.nell@bgs-ag.de:
> Hi!
>
> I have been reading through this mailing list quite a while and have
> stumbled over a lot of
> Posts concerning Squid and SSL but not an answer to what I really need.
> What I need is a SSL Connection on both sides of Squid
>
> Client < -----SSL---- > Squid < ----- SSL ----- > Internal Server
>
> I know that this question has been ask quite often and there where People
> who said
> it works some said it doesn?t but there has never been a "real" answer or
> an example
> concerning whether it is possible or not!
>
> My Squid.conf looks like this (using Squid 2.5 stable1):
>
> http_port 172.16.3.131:80
> https_port 172.16.3.131:443 cert=squid_cert.pem key=squid_key.pem
> ...
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl allowed_hosts src 192.168.1.1/255.255.255.0
> acl SSL_ports port 443 563
> ...
> acl CONNECT method CONNECT
> ...
> redirect_rewrites_host_header off
>
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow allowed_hosts
> http_access deny all
> http_access allow CONNECT !SSL_ports
> http_access allow CONNECT
> ...
> acl our_networks src 192.168.1.0/24 192.168.4.0/24
> http_access allow our_networks
> http_reply_access allow all
> ...
> httpd_accel_port 443
> httpd_accel_host virtual
> httpd_accel_single_host off
> httpd_accel_with_proxy off
> httpd_accel_uses_host_header on
> ....
>
> And at my /etc/hosts I added an entry
>
> 192.168.1.10 localserver
>
> When I try to access localserver through Squid and https I get the error
> Message
> "Error- Bad Request This web server is running in SSL mode. Try the URL
> https:://pc352:443/ instead."
>
> pc352 is the computer name of localserver.
>
> How to I get SSL to work from Squid to the localserver?
>
> I would be more than thankful if someone could help me out on this one!
>
> THX
>
> Sebastian
>
> *******************************************
> Beratungsgesellschaft
> Software Systemplanung AG
> Geschäftssitz Mainz
> Niederlassung Rhein/Main
> Robert-Koch-Straße 41
> 55129 Mainz
> Phone: 06131 914-0 (-166), Fax -400
> E-Mail: Sebastian.Nell@bgs-ag.de
> web: www.bgs-ag.de
> ********************************************

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden
Received on Wed Mar 26 2003 - 04:42:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:20 MST