RE: [squid-users] SSL reverse-proxy questions (was "redirect")

From: Discussion Lists <discussions@dont-contact.us>
Date: Mon, 23 May 2005 07:43:43 -0700

Okay, I'll just start over. First of all, I should never have used the
term "redirect" That is more of a firewall term, and it should have
been left out. All I want to do is reverse-proxy SSL connections,
hopefully several of them. Each time you set up one of these
connections, you have to add in a line similar to below into squid.conf:

"https_port 443 cert=/path/to/cert.cert key=/path/to/key.key accel
your.site.name protocol http"

This will reverse-proxy any request for "your.site.name" from what I
understand. But that is just one site. Suppose I have another site
that I want available for SSL? Could I just add another line similar to
the above, but for the second, third or more sites?

Okay here's the second question. The above line is an example of how to
reverse-proxy from SSL to http, or port 443, to port 80 right? Now,
suppose I want to reverse-proxy several SSL connections, similar to
above, but instead of changing from SSL to http, (443 -> 80 as above) I
am reverse-proxying straight SSL (443 -> 443). Is this possible for
multiple sites? If it is, is there some way that I could make it so I
would not need a certificate on the firewall for each connection and
just have the backend server handle certificate requests?

Lastly, I found information on the internet about how to create your own
certificates, but nothing about how to import them from somewhere else.
Anyone know of any tutorials that deal with this?

Thanks,
Mark

> -----Original Message-----
> From: Matus UHLAR - fantomas [mailto:uhlar@fantomas.sk]
> Sent: Monday, May 23, 2005 2:55 AM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] SSL redirect questions
>
>
> On 22.05 12:35, Discussion Lists wrote:
> > I have some general questions about reverse-proxying SSL.
> >
> > 1. What is the best way to do it using Squid:
> > a. Do a straight redirect from port 443 to port 443
> from server to
> > server with no certificate presented from the firewall, but rather
> > from the server that the connection is redirected to (is this even
> > possible with Squid?).
> > b. Redirect port 443 to port 80 on the destination
> server(s), and use
> > the firewall to present each of the certificates.
>
> Are you talking about reverse-proxying or redirecting?
> when reverse proxying, you do not redirect anything. If
> redirecting, you do not care about certificates.
>
> what I understand under "reverse ssl proxy" is that squid
> listens for SSL requests on port 443 and forwards plain HTTP
> requests to HTTP server.
>
> There is of course possibility to forward https requests with
> different key/certificate, but It has meaning only in some
> special cases.
>
> > 2. If the answer is B, I have several backend SSL servers, all of
> > which I want to redirect connections to.
>
> why? Why do you want push one level of servers before backends?
>
> > This is an aspect of proxying/reverse-proxying where my
> knowledge is
> > weak, maybe some of you have some suggestions.
>
> I do not understand why do you need reverse proxying at all...
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu
> postu. Your mouse has moved. Windows NT will now restart for
> changes to take to take effect. [OK]
>
Received on Mon May 23 2005 - 08:43:44 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:03 MDT