On Tue, 21 Dec 2004, Reuben Farrelly wrote:
Their request involves changes to create a setup like this:
Origin website (Serves https) | | Squid proxy (Serves https to clients and requests https to origin servers) | | Client browser (requests https)
This requires either Squid-3, or Squid-2.5 + SSL update patch and some tweaking.
With Squid-3 it is a fairly straight forward setup
https_port to make Squid listen for client requests cache_peer to make Squid forward to the web server
What won't be possible with a setup like this is the use of client side certificates for authentication to the application server, but pretty much anything else imagineable is possible.
The contraints are that as the clients are unmanaged we cannot alter the config of them easily. However we can get the SSL certificates that are used to sign the site, and have control of DNS (thinking maybe we could forge the identity of the origin box, just for this local network).
Good plan.
What patches are recommended to 2.5STABLE7 for this - I'm a bit wary of squid-3 even though it appears to have better SSL support and config directives seem to fit more with what I'm looking to do..
Documentation on this particular combination of circumstances seems to be a bit sparse, unfortunately :(
Squid-2.5 is not intended to be used like this. The standard release lacks the capability of initiating ssl connections, and even with the SSL patch it lacks a bit of flexibility in how to configure reverse proxies to make the setup reasonable.
In Squid-3 there is not much to say about it as it is just a standard reverse proxy configuration with https on both sides and there should not be any major problems figuring out the required configuration from the squid.conf documentation and release notes.
As you already figured out you need a good server certificate (+ key) to give to Squid to accept the https requests.
Regards Henrik
