Search squid archive

Re: Squid Multiple SSL sites and Single IP solution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey Jesse,

From what I understood SNI is not fully supported by all browsers yet.
If you need the private key of the root CA to sign a certificate this is very bad for anything in CA's world.
The idea as far I know to use a signed certificate which will provide everything needed to validate and encrypt the needed data. 

I have never used SNI but I heard about it.
I assume that if it's part of openssl it just means that it's good and secure.
Many providers use wildcard certificate which for example akamai and Amazon offers\use.
I think that less about the need for that option there is a need to encourage using more of the resources you have. 

For now if there is a need for SNI nginx can provide the SSL part.

I was interested in comparison of nginx vs squid in the cache angle.
I know that squid "persistent" cache is better then nginx since nginx is not really 100% committed to be "cache" but more like a web server. It wont save headers and there for the response will be different while fetched from source and served from cache(persistent). 

Regards,
Eliezer

On 11/5/2012 4:27 PM, Jesse Smith wrote:

Hello everyone, thought i'd share our recent endeavor about getting
Squid to work with multiple SSL domains (single set of certs and one IP).

We were able to get that working, but didn't do us much good as we had
to be our own Root CA. We didn't want to have to have the users download
our cert into their browser, just to use our site. In other words,
everything was to remain transparent.

It is impossible to use a Root CA (Commercial like Verisign), because
you would have to have their private key to sign the generated certs.

Our solution was to use the Nginx web server, which supports multiple
SSL domains using a single IP. The server also acts as a reverse proxy.
Nginx uses SNI to get this configuration working.

I only mention this as Squid should do the same and potentially make it
a priority as places are looking for this kind of configuration
increasingly.

Anyway, that's the story ... thanks for reading and hope it will provide
more insight to your own situation if using multiple SSL domains hosted
by a single IP.

Thanks




--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux