[squid-users] Add header to SSL requests to my own domain using my domains certs

Amos Jeffries squid3 at treenet.co.nz
Mon Feb 16 22:01:21 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/02/2015 3:38 p.m., James Beecham wrote:
> Hi Amos,
> 
> Thank you for your reply.
> 
> The information I need to apply to the header is client specific,
> ex their internal ip address.
> 
> The issue I am facing is that the network that is hosting the web
> services is different from the network that the clients are
> accessing it from. So my Squid instances live at the client site
> and they access the web services out of a data center.
> 
> I need to know the clients internal ip at the data center for a
> number of reasons. Therefore if I am understanding your suggestion
> correctly the reverse ssl proxy would not work as the squid reverse
> proxy needs to be on the same internal network/vlan as the
> destination host to function? 
> http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate

No.
> 
Reverse-proxy only needs is that the client looking up the domain
in DNS finds where it is and the cert it offers is valid for the domain.

The connection between the proxy and origin server is
explicitly/manually configured at the proxy so does not matter where
its going to.

Think of how the major CDN operators put their gateway proxies out
around the world in or near ISP networks then do something special
from that proxy to where the hosted site actually is.

> 
> Essentially what I have is the clients internal ip at the client
> site, which with HTTP only used to allow me the pack the internal
> ip into the HTTP header via 'request_header_add'. Now, I still need
> to get the internal ip into the HTTPS request so that the web
> services can operate as normal. Whether the clients internal ip is
> in the header or apart of each request (query param) doesnt really
> matter, just how can I get the internal ip to the server without
> disrupting the normal browsing activity of our users?


This is what the X-Forwarded-For/Forwarded HTTP headers are for.
Set "forwarded_for on" in squid.conf of the gateway proxy the clients
connect to, and the same or "forwarded_for transparent" on any
internal squid proxies it goes across within your network.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU4miwAAoJELJo5wb/XPRjasUH/jf6ZHo75tqmKdW/gQcYtHKl
Et38pBbvXXIJ9/+DE/DvrW/t4LJU1tuxFk/uplwvORqOyZ2VNy/mxp1Omf3NMKoG
SfUo3LTOqlvIAtI1oHZYadS9qEsIDxSGDJ0HFeag7z9wj4acOeUnVSBLUueyV5TK
ouspgmpuS3GCCqMWjWsEkdUKqDXC+ThyUeF7w0ABfZIXoJPtC2Q++7UznQm840ad
lV4lLx/vxbXSEFlR+YEZXJwEBUwcKr9uUDVru7Rn4LfIZ9KRr6gVbzwzFMuilY0P
GmMJBYMDZZSezvtVA2vAR99KbDpUSC/8seGL2VrXZxNndh8eSmK5kprlUvwIC1w=
=Ra8E
-----END PGP SIGNATURE-----


More information about the squid-users mailing list