Thank you. Just want to make sure I understand before we dive in. On Thu, Sep 22, 2016, at 09:03 PM, Amos Jeffries wrote: > On 23/09/2016 12:45 p.m., creditu wrote: > > We have been using squid in accelerator mode for a number of years. In > > the current setup we have the squid frontends that send all the http > > requests to the backend apache webservers using a simple redirect > > script. We need to switch to https for the public presence. > > redirect/rewrite script is very rarely a suitable way to do this for > reverse-proxy. > > Use cache_peer to configure what backend servers exist and > cache_peer_access rules to determine which one(s) any given request can > be sent to. > > The backends should be capable of accepting the traffic as if the proxy > were not there. If for some reason it has to have a different domain > name (actual need for this is rare), then the cache_peer forcedomain= > option can be used. > > > > So, our initial thought would be to use https_port for public HTTPS > > presence and send the requests using cache_peer to the backend apache > > servers using plain http. Basically terminating HTTPS from clients and > > relaying it to backend servers using HTTP. > > > > We will need to implement HSTS at some point (i.e. > > Strict-Transport-Security: max-age=8888; includeSubDomains; preload), > > will we be able to do this in the above scenario. > > Yes. Provided you can get rid of that redirect/rewrite script. The > background things cache_peer logic does to the traffic will be needed > for the HTTPS transition. We will get rid of the script, but, not sure I understand the rest of the statement. Can you elaborate? Since HSTS is only set when there is a secure connection it seems that I would have send to the backend via https and set the Strict-Transport . . . header on the backend Apache servers (ssl.conf) so the reply would be sent back to the Internet user via Squid? > > > Also, we will initially be providing both http and https, but will need > > to stop http at some point. Is there a way to redirect the clients that > > try to connect via http to use https with squid? Something like the > > rewrite engine in apache? > > cache_peer can be configured to contact the peer over TLS. This can be > done individually, and before the HSTS gets added for public viewing. I'm sure I'm missing something here. What I will need to do is force Internet users who come to us over via http to use https instead. Something like what happens when someone types http://www.google.com they get sent to https://www.google.com. This is pretty simple going straight to an Apache server, but I haven't seen a way to do it directly with Squid. In a very quick test on some non-production systems I sent a http request through the squid and did the redirect on the backend Apache server. I assume in the Apache config I would do something like this: VirtualHost *:80> ServerName www.example.com Redirect permanent / https://SquidPublicIP/ </VirtualHost> Just trying to understand how this would work. Thanks Again. > > > > We use RH 6.x which comes with squid 3.1. Thanks for any feedback. > > For your particular use a build of that with OpenSSL support should be > okay. But if you can, an upgrade to more recent version would be better > as there have been some important OpenSSL and TLS protocol changes since > 3.1 was designed. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
