On 9/10/2015 11:42 a.m., Manuel wrote: > Hi, > > I am thinking about the idea of using Squid as a reverse proxy on https > (also on http), doing some caching and connecting to a SSL cache_peer and a > non SSL cache_peer depending on the address (e.g. login related addresses > would use the SSL cache_peer). > > The goal is to make faster the browsing experience of the website by not > encrypting and decrypting on both the reverse proxy and the webserver > requests that do not need to be secured on the reverse proxy-webserver side. > Of course this could be done too on part of the server-client connections > but it would give a lot of problems such as web browsers alerts changing > from HTTPS to HTTP, similar alerts because of partial content on HTTPS, HTTP > would be worse for SEO too, safety risks sending login POST data from HTTP > to HTTPS, etc. > > This approach makes me wonder the following questions and I would like to > confirm my thoughts: > > - Can squid acting as a reverse proxy deal with caching with SSL similar > than it can do it without SSL? In any combination https_port accel and > cache_peer ssl; https_port accel and cache_peer (not ssl); http_port accel > and cache_peer ssl; http_port and cache_peer (not ssl)? > > My understanding is that, yes, it can do it and that Squid get the content > from the cache_peer (encrypted if ssl), decrypt it if encrypted and store it > always not encrypted. Am I right? > > - Can Squid use a SSL cache_peer just for specific addresses of the same > website/domain and a non SSL cache_peer for the rest of the addresses on the > same website/domain? > > My understanding is that such a thing would be possible setting those two > different named cache_peers, one on port 443 with the ssl option and the > other on port 80; and then using acl urlpath_regex to choose what cache_peer > to use. Is that correct? > Yes, and no. There is no complication about whether things have arrived over a TCP connection vs TLS connection. They are just connections with different URL schemes to a reverse-proxy. The client and server connections in HTTP are independent. Caching depends only on the message itself. What type of connection it was received over is irrelevant. FYI: 1) TLS (or SSL) is just a transport protocol to Squid, like TCP. 2) HTTPS is just HTTP transferred over a TLS connection. All your questions come back to those details. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
