Re: [squid-users] https, redirector

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 16 Jun 2005 00:32:35 +0200 (CEST)

On Wed, 25 May 2005, Bill Mills-Curran wrote:

> I want to add another "backend" web site that uses https. I've tried
> many (too many) different configs, but I can't find the right
> combination to make it work.

Squid-2.5 as reverse proxy does not support making HTTPS connections, only
accepting https requests via https_port and then forwarding them as plain
http requests to the backend.

To make HTTPS connections you need Squid-3.0 (under development) or the
SSL update patch to Squid-2.5.

To make https requests with the SSL update you can either

  a) forward the requests via a cache_peer defined with the ssl option,
with some limitations on connection management..

  b) use a redirector to rewrite the accelerated URL to https://.

In Squid-3.0 you can select that the requests accepted by https_port
should be reconstructed as https:// URLs from start, simplifying the
matters somewhat. There is also much better support for cache_peer based
forwarding in reverse proxies (in fact the default mode in Squid-3
accelerators).

The CONNECT method is not relevant in reverse-proxies. This method is only
for clients explicitly configured to use the proxy to open SSL tunnels via
the proxy to the requested server (i.e. internal clients trying to go to
the Internet).

> 1. With just an entry like:
>
> http_port 10.14.21.32:443

This can not work. This tells Squid that it should accept http request on
port 443. I.e. http://10.14.21.32:443/ not https.

To accept https requests from the clients as a reverse proxy you must use
https_port.

Regards
Henrik
Received on Wed Jun 15 2005 - 16:32:39 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT