Search squid archive

Re: sslbump + DynamicSslCert + url_rewrite_program + NTLM authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/02/11 01:40, Yonah Russ wrote:
Hi,

I've been using Squid 2.6/7 for a while as a redirecting proxy for
developers to preview their changes as if they are looking at
production websites.
Now I need to support rewriting SSL requests as well and this has
brought me to investigate Squid 3.2/3.1
As both of these seem very new and alot seems to have changed, I'm
hoping you can help point me in the best direction.

I understand that 3.2 has the DynamicSSLCert feature and that a patch
exists for 3.1 as well- which would be the prefered way to implement
this for semi production/internal users?
Is there any way to restrict which sites get bumped and which do not?

Yes.
http://www.squid-cache.org/Doc/config/ssl_bump/


I also understand that redirect_program has been replaced with
url_rewrite_program but the interface seems to be fairly backwards
compatible- any gotchas to look out for?

No. Same old problems. No significant changes there. Just additional error checking and reporting around mangled URLs and redirect status codes for certain requests.

Will the url_rewrite_program have access to the decrypted https
request? If so, will the rewrite program be able to rewrite the
request and still send it over HTTPS?

Good question. Don't known the answer though sorry.

Though I think the answer is probably yes, the side effects are likely to be even worse than with HTTP since the SSL is closely tied to the URL and domain as realm.


Have their been changes in Active Directory integration for proxy
authentication? Currently I'm using NTLM and Basic
authentication+winbind but not without issues.

On the NTLM auth side:
*Some HTTP/1.1 improvements that make NTLM work better. Though still with problems. The later the version the better the background connection stability. * Microsoft have officially obsoleted NTLM and encourage Kerberos rollout. So do we. 3.2 will now use Kerberos on peer links as well.

On the Basic auth side:
 * 3.2 has had a large set of bug fixes


I understand there are some changes regarding SMP. Currently I run
multiple instances of Squid with different configurations(http_port,
redirect_program). Can I consolidate this any with the newer versions?

Yes. 3.2 has configuration options to make control and configuration of multiple instances MUCH easier.

I'd be interested in sharing the authentication helpers, but still
having different http/https ports and rewrite configurations.

Child processes and caches are not yet shared. Pretty much everything else can be shared or separated as you wish.

NP: if you want to go with 3.2. I'm about to release 3.2.0.5 within a few days.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.11
  Beta testers wanted for 3.2.0.4


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux