[squid-users] Accelerator Mode - HSTS and Redirect

squid at buglecreek.com squid at buglecreek.com
Fri Sep 23 22:25:20 UTC 2016 

Thank you.  Just want to make sure I understand before we dive in.

On Thu, Sep 22, 2016, at 09:03 PM, Amos Jeffries wrote:
> On 23/09/2016 12:45 p.m., creditu wrote:
> > We have been using squid in accelerator mode for a number of years. In
> > the current setup we have the squid frontends that send all the http
> > requests to the backend apache webservers using a simple redirect
> > script.  We need to switch to https for the public presence.
> 
> redirect/rewrite script is very rarely a suitable way to do this for
> reverse-proxy.
> 
> Use cache_peer to configure what backend servers exist and
> cache_peer_access rules to determine which one(s) any given request can
> be sent to.
> 
> The backends should be capable of accepting the traffic as if the proxy
> were not there. If for some reason it has to have a different domain
> name (actual need for this is rare), then the cache_peer forcedomain=
> option can be used.
> > 
> > So, our initial thought would be to use https_port for public HTTPS
> > presence and send the requests using cache_peer to the backend apache
> > servers using plain http.  Basically terminating HTTPS from clients and
> > relaying it to backend servers using HTTP.  
> > 
> > We will need to implement HSTS at some point (i.e.
> > Strict-Transport-Security: max-age=8888; includeSubDomains; preload),
> > will we be able to do this in the above scenario.
> 
> Yes. Provided you can get rid of that redirect/rewrite script. The
> background things cache_peer logic does to the traffic will be needed
> for the HTTPS transition.

We will get rid of the script, but, not sure I understand the rest of
the statement.  Can you elaborate?  Since  HSTS is only set when there
is a secure connection it seems that I would have send to the backend
via https and set the Strict-Transport . . . header on the backend
Apache servers (ssl.conf) so the reply would be sent back to the
Internet user via Squid?    
> 
> > Also, we will initially be providing both http and https, but will need
> > to stop http at some point.  Is there a way to redirect the clients that
> > try to connect via http to use https with squid?  Something like the
> > rewrite engine in apache?
> 
> cache_peer can be configured to contact the peer over TLS. This can be
> done individually, and before the HSTS gets added for public viewing.

I'm sure I'm missing something here.  What I will need to do is force
Internet users who come to us over via http to use https instead. 
Something like what happens when someone types http://www.google.com
they get sent to https://www.google.com. This is pretty simple going
straight to an Apache server, but I haven't seen a way to do it directly
with Squid.  In a very quick test on some non-production systems I sent
a http request through the squid and did the redirect on the backend
Apache server.  I assume in the Apache config I would do something like
this:

VirtualHost *:80>
   ServerName www.example.com
   Redirect permanent / https://SquidPublicIP/
</VirtualHost>

 Just trying to understand how this would work.  Thanks Again. 
> > 
> > We use RH 6.x which comes with squid 3.1.  Thanks for any feedback. 
> 
> For your particular use a build of that with OpenSSL support should be
> okay. But if you can, an upgrade to more recent version would be better
> as there have been some important OpenSSL and TLS protocol changes since
> 3.1 was designed.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list