[squid-users] Accelerator Mode - HSTS and Redirect

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 23 03:03:56 UTC 2016 

On 23/09/2016 12:45 p.m., creditu wrote:
> We have been using squid in accelerator mode for a number of years. In
> the current setup we have the squid frontends that send all the http
> requests to the backend apache webservers using a simple redirect
> script.  We need to switch to https for the public presence.

redirect/rewrite script is very rarely a suitable way to do this for
reverse-proxy.

Use cache_peer to configure what backend servers exist and
cache_peer_access rules to determine which one(s) any given request can
be sent to.

The backends should be capable of accepting the traffic as if the proxy
were not there. If for some reason it has to have a different domain
name (actual need for this is rare), then the cache_peer forcedomain=
option can be used.

> 
> So, our initial thought would be to use https_port for public HTTPS
> presence and send the requests using cache_peer to the backend apache
> servers using plain http.  Basically terminating HTTPS from clients and
> relaying it to backend servers using HTTP.  
> 
> We will need to implement HSTS at some point (i.e.
> Strict-Transport-Security: max-age=8888; includeSubDomains; preload),
> will we be able to do this in the above scenario?
> 

Yes. Provided you can get rid of that redirect/rewrite script. The
background things cache_peer logic does to the traffic will be needed
for the HTTPS transition.


> Also, we will initially be providing both http and https, but will need
> to stop http at some point.  Is there a way to redirect the clients that
> try to connect via http to use https with squid?  Something like the
> rewrite engine in apache?

cache_peer can be configured to contact the peer over TLS. This can be
done individually, and before the HSTS gets added for public viewing.

> 
> We use RH 6.x which comes with squid 3.1.  Thanks for any feedback. 

For your particular use a build of that with OpenSSL support should be
okay. But if you can, an upgrade to more recent version would be better
as there have been some important OpenSSL and TLS protocol changes since
3.1 was designed.

Amos

More information about the squid-users mailing list