Search squid archive

Re: forward proxy to reverse proxy to app

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 17/11/17 20:33, Bernhard Dübi wrote:
Hi,

I try to configure squid for a very special usecase but can't get it
to work. So, if you could give me some hints on how to do it right,
that would be great

Here's what I try to achieve:

the browser has proxy:8080 configured as manual proxy
from the browser I access some websites
when the request is plain http then the reply must be a redirect to https
when the request is https then the ssl connection must be termintaed
on the proxy and the request must be forwarded as http to the
application server


A forward/explicit proxy like yours is required to ensure that the security level of traffic remains unchanged across both client and server connections. Never downgraded without explicit knowledge by both endpoints. Bad problems ensue if you downgrade with either endpoint thinking it is secure end-to-end.



I know, I could just forget about ssl an go directly the app server
with http bt the customer insists on that particular setup

we use several domains like app1.doma.com, app2.domb.biz, app3.domc.org
in order to return the correct certificate for each request, I need a
dedicated ip:port combination for each certificate

That is only relevant for *reverse-proxy*, not a forward/explicit proxy like yours.

If you have a explicit TLS connection between the clients and Squid forward/explicit you only need a certificate confirming Squid's hostname to the client.

If you are using SSL-Bump to decrypt the HTTPS traffic Squid can auto-generate certificates on the client connection based on the upstream server cert details.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux