Re: [squid-users] Using Squid as a reverse-proxy to SSL origin?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 16 Oct 2008 11:26:53 +1300 (NZDT)

> I've looked in the archives, site, and Squid book, but I can't find
> the answer to what I'm looking to do. I suspect that it's not
> supported.
>
> My origin server accepts Basic auth over SSL (non-negotiable). I'd
> like to stick a reverse proxy/surrogate in front of it for
> caching/acceleration, and have it accept non-SSL connections w/ Basic
> auth, directing those requests as https to the origin. The origin's
> responses will be cached, to be used in subsequent GETs to the proxy.
> Both machines are in a closed IP environment. Both use the same
> authentication mechanism.
>
> I see that Squid 3.0 has an "ssl-bump" option, but I don't think that
> does what I described. If it does, that's cool - I can change the
> requirement of the proxy to accept Basic/SSL.
>
> Is this configuration possible, and/or am I thinking about this wrong?
>

You need to configure an 'https_port' same as you would an http_port, but
with added SSL certificate fields.

   https_port 443 accel <cert details>

then the cache_peer line needs 'ssl' to re-encrypt the link and
"login=PASS" (exact string) to pass the login details back to the web
server.

  cache_peer ... ssl login=PASS

Ref:
http://www.squid-cache.org/Versions/v3/3.0/cfgman/https_port.html
http://www.squid-cache.org/Versions/v3/3.0/cfgman/cache_peer.html

Amos
Received on Wed Oct 15 2008 - 22:26:58 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 16 2008 - 12:00:04 MDT