Hmm. I guess I'm not describing what I want to do clearly enough.
The purpose is, as you say, to shove a caching proxy in between the
clients and the server. What I can quite happily do is give the proxy
it's own certificate that is trusted by the server - essentially
delegating responsibility for file distribution to the proxy. Then the
proxy can authenticate the clients and serve the cached data. The thing
I can't seem to make work is getting squid to use a cert when it is
trying to establish a connection to the up-stream server...
Thanks again for any help ;-)
Justin
Matus UHLAR - fantomas wrote:
This may sound insane, but here goes. I've got a file distribution
system that relies on client certificate authentication through SSL
(https) to authenticate clients prior to delivery of files. Typical
apache with ssl and client cert setup. I have reached a situation,
however, where it would be convenient to create a tiered system of
caches of said files. My thought was to use squid to do this as follows:
On 20.05.09 11:35, Justin Binns wrote:
I had thought of this as a forward-proxy, because the clients and the
proxy server are all on the same network, and the proxy is providing
caching for the clients. The purpose of this is to reduce bandwidth -
let me provide a more thorough concrete description of the application.
So, your users are authenticating with SSL onto webserver that provides some
files. You want to push proxy in the middle, that would authenticate using
their certificateds instead of users. That means that the proxy must know
their private SSL keys. In such case the SSL authentication is useless, or
better: makes it impossible. Ordinary authentication is needed.
So, this one auth scheme must be used:
proxy does have the file but provides it to the client only if the client
passes correct auth info, which is sent to server by the proxy, and server
replies either with 4xx code, whcih means proxy won't pass cached object to
the client, or server replies with 302 "not modified" code, so the proxy
passes the object to client (alternatively, sevrer replies 200 OK, sends the
object to the proxy...)
Now the question is if HTTP allows that (hopefully yes), and if your server
supports the 302 reply code.
