On 11/02/11 01:40, Yonah Russ wrote:
Hi,
I've been using Squid 2.6/7 for a while as a redirecting proxy for
developers to preview their changes as if they are looking at
production websites.
Now I need to support rewriting SSL requests as well and this has
brought me to investigate Squid 3.2/3.1
As both of these seem very new and alot seems to have changed, I'm
hoping you can help point me in the best direction.
I understand that 3.2 has the DynamicSSLCert feature and that a patch
exists for 3.1 as well- which would be the prefered way to implement
this for semi production/internal users?
Is there any way to restrict which sites get bumped and which do not?
Yes.
http://www.squid-cache.org/Doc/config/ssl_bump/
I also understand that redirect_program has been replaced with
url_rewrite_program but the interface seems to be fairly backwards
compatible- any gotchas to look out for?
No. Same old problems. No significant changes there. Just additional
error checking and reporting around mangled URLs and redirect status
codes for certain requests.
Will the url_rewrite_program have access to the decrypted https
request? If so, will the rewrite program be able to rewrite the
request and still send it over HTTPS?
Good question. Don't known the answer though sorry.
Though I think the answer is probably yes, the side effects are likely
to be even worse than with HTTP since the SSL is closely tied to the URL
and domain as realm.
Have their been changes in Active Directory integration for proxy
authentication? Currently I'm using NTLM and Basic
authentication+winbind but not without issues.
On the NTLM auth side:
*Some HTTP/1.1 improvements that make NTLM work better. Though still
with problems. The later the version the better the background
connection stability.
* Microsoft have officially obsoleted NTLM and encourage Kerberos
rollout. So do we. 3.2 will now use Kerberos on peer links as well.
On the Basic auth side:
* 3.2 has had a large set of bug fixes
I understand there are some changes regarding SMP. Currently I run
multiple instances of Squid with different configurations(http_port,
redirect_program). Can I consolidate this any with the newer versions?
Yes. 3.2 has configuration options to make control and configuration of
multiple instances MUCH easier.
I'd be interested in sharing the authentication helpers, but still
having different http/https ports and rewrite configurations.
Child processes and caches are not yet shared. Pretty much everything
else can be shared or separated as you wish.
NP: if you want to go with 3.2. I'm about to release 3.2.0.5 within a
few days.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.4