SSL and Squid

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL and Squid

Michael Puckett-2
I have a 2 level squid setup. Several top level parent cache servers
which connect to the internet with multiple child servers supporting my
internal subnets. Is it possible to configure the top level servers to
use SSL over the internet and cache the objects locally while allowing
the child servers to operate internally with no SSL requirement?

What I desire is to be able to obtain the benefit of caching objects
locally while transferring them over the internet via SSL. So the
CONNECT method would occur between the top level and the origin server
only while allowing the objects to be cached normally within my cache
servers.

Is this possible? If so, would it also be possible to set up an ACL on
the parent servers that indicates which domains should use SSL connections?

-mikep
Reply | Threaded
Open this post in threaded view
|

Re: SSL and Squid

Henrik Nordström
ons 2007-06-06 klockan 10:26 -0700 skrev Michael Puckett:
> I have a 2 level squid setup. Several top level parent cache servers
> which connect to the internet with multiple child servers supporting my
> internal subnets. Is it possible to configure the top level servers to
> use SSL over the internet and cache the objects locally while allowing
> the child servers to operate internally with no SSL requirement?

Yes, but with limitations.

a) If your clients sends https:// URLs to Squid using HTTP (not CONNECT)
then the Squid closest to the origin server will wrap them up in SSL.

b) For selected sites you can have Squid act as an accelerator, so that
eve if the client requests http://some.site/ squid will still wrap the
request in SSL. See the cache_peer (and cache_peer_access) directive.

c) It's also possible to do 'b' by using an url rewriter/redirector to
rewrite the request from http:// to https:// on the fly.

Regards
Henrik
 

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSL and Squid

Michael Puckett-2
Henrik Nordstrom wrote:

> ons 2007-06-06 klockan 10:26 -0700 skrev Michael Puckett:
>  
>> I have a 2 level squid setup. Several top level parent cache servers
>> which connect to the internet with multiple child servers supporting my
>> internal subnets. Is it possible to configure the top level servers to
>> use SSL over the internet and cache the objects locally while allowing
>> the child servers to operate internally with no SSL requirement?
>>    
>
> Yes, but with limitations.
>
> a) If your clients sends https:// URLs to Squid using HTTP (not CONNECT)
> then the Squid closest to the origin server will wrap them up in SSL.
>  
The intention would be that the clients should not even know that the
top level was using SSL to the origin servers. The clients would make a
regular http:// access. Of course, if the client does use https://
accesses then the CONNECT tunneling through the cache servers would be
expected.
> b) For selected sites you can have Squid act as an accelerator, so that
> eve if the client requests http://some.site/ squid will still wrap the
> request in SSL. See the cache_peer (and cache_peer_access) directive.
>  
What do you mean by "act as an accelerator"? Just the regular proxy
caching? If so , this sounds like what I am after.
> c) It's also possible to do 'b' by using an url rewriter/redirector to
> rewrite the request from http:// to https:// on the fly.
>  
What would be the advantage of using a url rewriter?

Best regards,

-mikep
Reply | Threaded
Open this post in threaded view
|

Re: SSL and Squid

Henrik Nordström
ons 2007-06-06 klockan 16:05 -0700 skrev Michael Puckett:

> The intention would be that the clients should not even know that the
> top level was using SSL to the origin servers. The clients would make a
> regular http:// access. Of course, if the client does use https://
> accesses then the CONNECT tunneling through the cache servers would be
> expected.

> What do you mean by "act as an accelerator"? Just the regular proxy
> caching? If so , this sounds like what I am after.

In the context it means that Squid knows about the origin servers, and
that SSL needs to be used to talk to these specific origin servers.

See the cache_peer directive.

> > c) It's also possible to do 'b' by using an url rewriter/redirector to
> > rewrite the request from http:// to https:// on the fly.
   
> What would be the advantage of using a url rewriter?

That no other configuration is needed in Squid I guess..

Regards
Henrik

signature.asc (316 bytes) Download Attachment