RE: [squid-users] reverse ssl-proxy?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 19 Nov 2003 23:24:52 +0100 (CET)

On Wed, 19 Nov 2003, John Hally wrote:

> One thing I'm not clear on is how DNS works in this scenario. Does the
> remote client resolver resolve hosts, or does the browser just forward on
> the url to the proxy and the proxy does the lookup on behalf of the client?

As you speak of reverse proxying the normal way this is done is that the
reverse proxy publishes a single (or a set of) "official" Internet web
server name to the users. Then depending on what the user requests from
this "official" server he gets forwarded to different web servers.

In such setup Squid can publish itself using https:// to the users, while
using http:// to the web servers. Squid can also require authentication
before forwarding the request, but it should be noted that there can only
be one set of login/password in HTTP so if you have applications also
requiring login via HTTP authentication (not cookie based forms
authentication) then some careful thought is needed there..
 
> If this is the case, I would imagine that by setting your browser's proxy
> setting to the proxy address, and the proxy using the intranet DNS server,
> things would work without having to modify the intranet content. Is this
> not the case?

That would work, except that you then need SSL support on all your
Intranet servers if you want to use https://. Also it won't be a reverse
proxy but just a standard proxy. One notable drawback is that users behind
other proxies won't be able to use this service.

> I envision this:
>
> setting up a squid proxy with two nics, one internally addressed, the other
> publicly addressed.

Yes.

> setting up the proxy to use the internal DNS servers for hostname
> resolution.

Yes.

> setting the proxy to only proxy for the internal domain (this way the remote
> client would have to disable using the proxy for internet access, and enable
> for intranet access. ?!?)

Yes.

> setting up some type of proxy authentication. (NTLM maybe)

I would advice to stay away from NTLM in this type of setup. Better to use
Basic authentication over https://.

> Basically I've been tasked to make this work, and need to know if it's
> feasible with squid. If so making it work is the next step.

It is all possible, but not without difficulties.

The difficulties is not so much in configuring the reverse proxy as in
getting the Intranet applications to play nicely with the new access
method.

Regards
Henrik
Received on Wed Nov 19 2003 - 15:24:58 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:24 MST