On 17/11/17 20:33, Bernhard Dübi wrote:
Hi, I try to configure squid for a very special usecase but can't get it to work. So, if you could give me some hints on how to do it right, that would be great Here's what I try to achieve: the browser has proxy:8080 configured as manual proxy from the browser I access some websites when the request is plain http then the reply must be a redirect to https when the request is https then the ssl connection must be termintaed on the proxy and the request must be forwarded as http to the application server
A forward/explicit proxy like yours is required to ensure that the security level of traffic remains unchanged across both client and server connections. Never downgraded without explicit knowledge by both endpoints. Bad problems ensue if you downgrade with either endpoint thinking it is secure end-to-end.
I know, I could just forget about ssl an go directly the app server with http bt the customer insists on that particular setup we use several domains like app1.doma.com, app2.domb.biz, app3.domc.org in order to return the correct certificate for each request, I need a dedicated ip:port combination for each certificate
That is only relevant for *reverse-proxy*, not a forward/explicit proxy like yours.
If you have a explicit TLS connection between the clients and Squid forward/explicit you only need a certificate confirming Squid's hostname to the client.
If you are using SSL-Bump to decrypt the HTTPS traffic Squid can auto-generate certificates on the client connection based on the upstream server cert details.
Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
