THe original poster has three web servers with three certs (I think). The reverse proxy you are explaining below can only hold one cert (this is the nature of SSL). Ramin On Sat, Jul 26, 2003 at 12:03:27AM +0200, Garcia Ruiz wrote: > I can tell you that squid 2.5 supports reverse proxying and it works this > way: Client -> SSL -> Squid (with certificates) -> No SSL -> Internal > Server. I think that HTTP proxying supports reverse proxying for more than 1 > server but I don't know if it's the same for SSL. In this case your only > problem is that the internal network donn't have encryption (Is it fine for > you¿?). If reverse proxy works for you, you can get an extra: The load of > you web servers will be much lower (you won't probably get cached SSL pages > but as you know, when requesting a page there are a lot of requests -images > among other- and these kind of requests can be cached and also are very > heavy. The load of your servers would be also lower due to the lack of > encryption-decryption inside them). > > Squid 3.0 supports Client -> SSL -> Squid (with certificates) -> SSL -> > Internal Server but it is in developement state (I wouldn't use in > production mode). > > > Here you have some interesting links: > http://squid.bilkent.edu.tr/mail-archive/squid-users/200102/0714.html > http://www.squid-cache.org/mail-archive/squid-users/200303/1040.html > http://squid.visolve.com/white_papers/reverseproxy.htm > > Regards, > > JBGR > > ----- Original Message ----- > From: "Ramin Dousti" <ramin@xxxxxxxxxxxxxxxxxxxx> > To: "Garcia Ruiz" <gar_ruiz@xxxxxxxxxxx> > Cc: <jen@xxxxxxxxxxx>; <netfilter@xxxxxxxxxxxxxxxxxxx> > Sent: Friday, July 25, 2003 9:33 PM > Subject: Re: ssl forward / proxy question > > > > You mean squid is going to handle the "get" requests for https?????? > > Meaning it's terminating SSL, sending the right cert, negotiating a > > session key with the client, getting the request and fetching the > > contents based on the "get" request from the right web server on the > > LAN???? > > > > Can you confirm all the above? If so, squid is a big security hole, > > but I'm sure it's not: > > > > http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.12 > > > > Ramin > > > > On Fri, Jul 25, 2003 at 08:38:14PM +0200, Garcia Ruiz wrote: > > > > > Have a look at Squid proxy. The last releases admit SSL reverse > proxying. If > > > it would be capable of handling different servers your problem would be > > > solved. You could have it inside of the firewall (but be careful with > > > security issues). > > > > > > Regards. > > > > > > BGR > > >