If you have three ip addresses on the squid proxy, you can have three ssl certs. Mike Hulsman. > -----Oorspronkelijk bericht----- > Van: Ramin Dousti [mailto:ramin@xxxxxxxxxxxxxxxxxxxx] > Verzonden: zaterdag 26 juli 2003 3:46 > Aan: Garcia Ruiz > CC: Ramin Dousti; jen@xxxxxxxxxxx; netfilter@xxxxxxxxxxxxxxxxxxx > Onderwerp: Re: ssl forward / proxy question > > > THe original poster has three web servers with three certs (I > think). The > reverse proxy you are explaining below can only hold one cert > (this is the > nature of SSL). > > Ramin > > On Sat, Jul 26, 2003 at 12:03:27AM +0200, Garcia Ruiz wrote: > > > I can tell you that squid 2.5 supports reverse proxying and > it works this > > way: Client -> SSL -> Squid (with certificates) -> No SSL > -> Internal > > Server. I think that HTTP proxying supports reverse > proxying for more than 1 > > server but I don't know if it's the same for SSL. In this > case your only > > problem is that the internal network donn't have encryption > (Is it fine for > > you¿?). If reverse proxy works for you, you can get an > extra: The load of > > you web servers will be much lower (you won't probably get > cached SSL pages > > but as you know, when requesting a page there are a lot of > requests -images > > among other- and these kind of requests can be cached and > also are very > > heavy. The load of your servers would be also lower due to > the lack of > > encryption-decryption inside them). > > > > Squid 3.0 supports Client -> SSL -> Squid (with > certificates) -> SSL -> > > Internal Server but it is in developement state (I wouldn't use in > > production mode). > > > > > > Here you have some interesting links: > > > http://squid.bilkent.edu.tr/mail-archive/squid-users/200102/0714.html > > http://www.squid-cache.org/mail-archive/squid-users/200303/1040.html > > http://squid.visolve.com/white_papers/reverseproxy.htm > > > > Regards, > > > > JBGR > > > > ----- Original Message ----- > > From: "Ramin Dousti" <ramin@xxxxxxxxxxxxxxxxxxxx> > > To: "Garcia Ruiz" <gar_ruiz@xxxxxxxxxxx> > > Cc: <jen@xxxxxxxxxxx>; <netfilter@xxxxxxxxxxxxxxxxxxx> > > Sent: Friday, July 25, 2003 9:33 PM > > Subject: Re: ssl forward / proxy question > > > > > > > You mean squid is going to handle the "get" requests for > https?????? > > > Meaning it's terminating SSL, sending the right cert, > negotiating a > > > session key with the client, getting the request and fetching the > > > contents based on the "get" request from the right web > server on the > > > LAN???? > > > > > > Can you confirm all the above? If so, squid is a big > security hole, > > > but I'm sure it's not: > > > > > > http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.12 > > > > > > Ramin > > > > > > On Fri, Jul 25, 2003 at 08:38:14PM +0200, Garcia Ruiz wrote: > > > > > > > Have a look at Squid proxy. The last releases admit SSL reverse > > proxying. If > > > > it would be capable of handling different servers your > problem would be > > > > solved. You could have it inside of the firewall (but > be careful with > > > > security issues). > > > > > > > > Regards. > > > > > > > > BGR > > > > > > > > > ================================================ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================ The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail.