Search squid archive

Re: HTTPD reverse proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Matus UHLAR - fantomas wrote:

There's no reason for squid to forward request as https, unless
the network between squid and server is untrusted. But in such
case, there's usually no need for using squid.



On 12.10 13:27, Joost de Heer wrote:

I disagree. For one customer, we provide reverse proxy
functionality (although it's not Squid). The customer is divided
into smaller fractions, some of which don't trust the rest. So they
want the internal traffic to go via https too.




You didn't describe the network structure and logic deeply enough.

However, what I am repeating here is, that the difference between this:

client ====> server
       HTTPS

and this:

client ====> proxy ====> server
       HTTPS       HTTPS

network structure is, that second one has one more weak place - the proxy.
Although the second structure CAN work and possibly DOES work somewhere,
it MAY be just a result of wrong decision or implementation
There are a couple of reasons that I can think of that require this configuration:
1) Where you don't trust the security of the connection between the reverse proxy and backend web server and
2) Where the backend web server insists on generating URLs based on the protocol used to communicate with it. e.g. https to the reverse proxy, http to the web server and it generates HTML with http:// URLs.
I have had to deal with the second one personally. I used squid initially and it worked as required so I know it is possible.
We moved away from squid as a reverse proxy to Apache with mod_proxy, mod_rewrite and mod_proxy_html (from Nick Kew). This allows us to fully rewrite the HTML from the backend web server and change links for external access. This way we can consolidate multiple backend servers into a single certificate and we use strong authentication so this ensures that the users only have to authenticate once. 

We still use squid as a forward proxy for at least 1500 users.

HTH,


				Neil.

--
Neil Hillard                    hillardn@xxxxxxxxx
Westland Helicopters Ltd.       http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
            views of Westland Helicopters Ltd.
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux