On Mon, 16 Aug 2004, Wah wrote:
In fact, I want to know how does Squid get work like it is said in below url. http://www.squid-cache.org/Doc/FAQ/FAQ-19.html "By default, Squid connects directly to origin servers for SSL requests..."
This applies to proxies, not reverse proxies.
Secondly, I don't understand totally the following which resides in squid.conf, it makes me that Squid would handle ssl request automatically.
http_port 80 http_access deny CONNECT !SSL_ports
This applies to proxies, not reverse proxies.
I'm confused the following description as well. http://www.mail-archive.com/[EMAIL PROTECTED]/msg01625.html "... No. Squid acts as a tunnel only. It does not support SSL to itself, but SSL connections work _via_ squid because it understands the CONNECT method (allowing clients to establish a tunnel for an SSL session)....."
This message is very very old and not relevant to Squid-2.5 and late as SSL server support was added in Squid-2.5 for use in reverse proxies.
At last, it seems that ssl request would be passed to apache(localhost) by Squid. http://www.squid-cache.org/Doc/FAQ/FAQ-11.html "Normally, when you type an https URL into your browser, one of two things happens. 1. The browser opens an SSL connection directly to the origin server. 2. The browser tunnels the request through Squid with the CONNECT request method."
This applies to proxies, not reverse proxies.
In reverse proxies the proxy is the origin server as far as the client is concerned.
When it comes to SSL and reverse proxying you have three options
a) Make the origin server listen directly on the external IP, or otherwise have the port directly forwarded to the web server (NAT, TCP forwarding / load balancing or whatever), allowing the client SSL to reach your web server.
b) Set up Squid as an https frontend, taking care of the SSL layer and then forwarding the request as http to your web server. This is the normal setup with a reverse proxy. There is very little benefit of having the overhead of SSL between the proxy and the web server.
c) Set up Squid as an https frontend taking care of the SSL layer to the client, and also opening a new SSL connection to your web server. This mode requires Squid-3.0 or if you want to go the complex path Squid-2.5 + ssl update patch + a redirector to rewrite the requested URLs into https again while Squid forwards the requests.
Regards Henrik
