Re: [squid-users] sslbump + DynamicSslCert + url_rewrite_program + NTLM authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 12 Feb 2011 01:20:33 +1300

On 11/02/11 01:40, Yonah Russ wrote:
> Hi,
>
> I've been using Squid 2.6/7 for a while as a redirecting proxy for
> developers to preview their changes as if they are looking at
> production websites.
> Now I need to support rewriting SSL requests as well and this has
> brought me to investigate Squid 3.2/3.1
> As both of these seem very new and alot seems to have changed, I'm
> hoping you can help point me in the best direction.
>
> I understand that 3.2 has the DynamicSSLCert feature and that a patch
> exists for 3.1 as well- which would be the prefered way to implement
> this for semi production/internal users?
> Is there any way to restrict which sites get bumped and which do not?

Yes.
http://www.squid-cache.org/Doc/config/ssl_bump/

>
> I also understand that redirect_program has been replaced with
> url_rewrite_program but the interface seems to be fairly backwards
> compatible- any gotchas to look out for?

No. Same old problems. No significant changes there. Just additional
error checking and reporting around mangled URLs and redirect status
codes for certain requests.

> Will the url_rewrite_program have access to the decrypted https
> request? If so, will the rewrite program be able to rewrite the
> request and still send it over HTTPS?

Good question. Don't known the answer though sorry.

Though I think the answer is probably yes, the side effects are likely
to be even worse than with HTTP since the SSL is closely tied to the URL
and domain as realm.

>
> Have their been changes in Active Directory integration for proxy
> authentication? Currently I'm using NTLM and Basic
> authentication+winbind but not without issues.

On the NTLM auth side:
  *Some HTTP/1.1 improvements that make NTLM work better. Though still
with problems. The later the version the better the background
connection stability.
  * Microsoft have officially obsoleted NTLM and encourage Kerberos
rollout. So do we. 3.2 will now use Kerberos on peer links as well.

On the Basic auth side:
  * 3.2 has had a large set of bug fixes

>
> I understand there are some changes regarding SMP. Currently I run
> multiple instances of Squid with different configurations(http_port,
> redirect_program). Can I consolidate this any with the newer versions?

Yes. 3.2 has configuration options to make control and configuration of
multiple instances MUCH easier.

> I'd be interested in sharing the authentication helpers, but still
> having different http/https ports and rewrite configurations.

Child processes and caches are not yet shared. Pretty much everything
else can be shared or separated as you wish.

NP: if you want to go with 3.2. I'm about to release 3.2.0.5 within a
few days.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.4
Received on Fri Feb 11 2011 - 12:20:39 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 11 2011 - 12:00:03 MST