Re: [squid-users] Using Squid as a reverse-proxy to SSL origin?

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Thu, 16 Oct 2008 12:15:59 +0200

On ons, 2008-10-15 at 16:42 -0400, Todd Lainhart wrote:
> I've looked in the archives, site, and Squid book, but I can't find
> the answer to what I'm looking to do. I suspect that it's not
> supported.

It is.

> My origin server accepts Basic auth over SSL (non-negotiable). I'd
> like to stick a reverse proxy/surrogate in front of it for
> caching/acceleration, and have it accept non-SSL connections w/ Basic
> auth, directing those requests as https to the origin. The origin's
> responses will be cached, to be used in subsequent GETs to the proxy.
> Both machines are in a closed IP environment. Both use the same
> authentication mechanism.

The basic setup is a plain reverse proxy.
http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-7fa129a6528d9a5c914f8dd5671668173e39e341

As the backend runs https you need to adjust the cache_peer line a bit
to enable ssl (port 443, and the ssl option).

When authentication is used you also need to tell Squid to trust the web
server with auth credentials

http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-c59962b21bb8e2a437beb149bcce3190ee1c03fd

> I see that Squid 3.0 has an "ssl-bump" option, but I don't think that
> does what I described. If it does, that's cool - I can change the
> requirement of the proxy to accept Basic/SSL.

sslbump is a different thing. Not needed for what you describe.

But you may need to use https:// to the reverse proxy as well. This is
done by using https_port instead of http_port (and requires a suitable
certificate).

Regards
Henrik

Received on Thu Oct 16 2008 - 10:16:09 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 16 2008 - 12:00:04 MDT