I had thought of this as a forward-proxy, because the clients and the
proxy server are all on the same network, and the proxy is providing
caching for the clients. The purpose of this is to reduce bandwidth -
let me provide a more thorough concrete description of the application.
We distribute large files to facilitate our application. These are
media files, mostly, and therefore static. When we install several
clients in the same customer location, each one would normally fetch
these files, thereby multiplying the amount of traffic on the customer's
internet connection by the number of client boxes installed. We want to
avoid this, and so we are investigating methods for having one box cache
the content, with the other clients fetching it from the local cache.
One of the methods we are investigating is squid, which appeared to
provide what we needed with very little change to our existing clients
or servers. I believe this is the poster child for forward-proxy /
cache configurations, except for the SSL wrinkle....
Thanks in advance for any help ;-)
Justin
Amos Jeffries wrote:
This may sound insane, but here goes. I've got a file distribution
system that relies on client certificate authentication through SSL
(https) to authenticate clients prior to delivery of files. Typical
apache with ssl and client cert setup. I have reached a situation,
however, where it would be convenient to create a tiered system of
caches of said files. My thought was to use squid to do this as follows:
Server stays the same - requires client cert to return a file.
Squid proxy is set up on a box with a valid client cert, setting up
sslproxy_* to point to valid client certs. Squid is also configured
with https to require client certs for connection to Squid (this last
part is less important - the clients in this particular setup are
actually on a private network that is not considered at risk). When the
client makes a request for a file, squid makes the request using its
authorized cert, and then serves the file down-stream.
From my initial reading of the squid configs and documentation I could
find, it seemed like this would be possible. I have tried it, and it
doesn't seem to be working. I get the (apparently common) SSL 'CONNECT'
error:
clientNegotiateSSL: Error negotiating SSL connection on FD 11:
error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request
(1/-1)
Is what I'm trying to do even possible with Squid? I'm using version
2.6.STABLE6 on Centos 5.2. I'd be happy to send my squid configs if
that'd help. Any help would be apprecaited ;-)
Justin Binns
Are you using squid as a regular forward-proxy? or as a reverse-proxy/CDN
for this system?
Amos
