[squid-users] Accelerator Mode - HSTS and Redirect
squid at buglecreek.com
squid at buglecreek.com
Fri Sep 23 22:25:20 UTC 2016
Thank you. Just want to make sure I understand before we dive in.
On Thu, Sep 22, 2016, at 09:03 PM, Amos Jeffries wrote:
> On 23/09/2016 12:45 p.m., creditu wrote:
> > We have been using squid in accelerator mode for a number of years. In
> > the current setup we have the squid frontends that send all the http
> > requests to the backend apache webservers using a simple redirect
> > script. We need to switch to https for the public presence.
>
> redirect/rewrite script is very rarely a suitable way to do this for
> reverse-proxy.
>
> Use cache_peer to configure what backend servers exist and
> cache_peer_access rules to determine which one(s) any given request can
> be sent to.
>
> The backends should be capable of accepting the traffic as if the proxy
> were not there. If for some reason it has to have a different domain
> name (actual need for this is rare), then the cache_peer forcedomain=
> option can be used.
> >
> > So, our initial thought would be to use https_port for public HTTPS
> > presence and send the requests using cache_peer to the backend apache
> > servers using plain http. Basically terminating HTTPS from clients and
> > relaying it to backend servers using HTTP.
> >
> > We will need to implement HSTS at some point (i.e.
> > Strict-Transport-Security: max-age=8888; includeSubDomains; preload),
> > will we be able to do this in the above scenario.
>
> Yes. Provided you can get rid of that redirect/rewrite script. The
> background things cache_peer logic does to the traffic will be needed
> for the HTTPS transition.
We will get rid of the script, but, not sure I understand the rest of
the statement. Can you elaborate? Since HSTS is only set when there
is a secure connection it seems that I would have send to the backend
via https and set the Strict-Transport . . . header on the backend
Apache servers (ssl.conf) so the reply would be sent back to the
Internet user via Squid?
>
> > Also, we will initially be providing both http and https, but will need
> > to stop http at some point. Is there a way to redirect the clients that
> > try to connect via http to use https with squid? Something like the
> > rewrite engine in apache?
>
> cache_peer can be configured to contact the peer over TLS. This can be
> done individually, and before the HSTS gets added for public viewing.
I'm sure I'm missing something here. What I will need to do is force
Internet users who come to us over via http to use https instead.
Something like what happens when someone types http://www.google.com
they get sent to https://www.google.com. This is pretty simple going
straight to an Apache server, but I haven't seen a way to do it directly
with Squid. In a very quick test on some non-production systems I sent
a http request through the squid and did the redirect on the backend
Apache server. I assume in the Apache config I would do something like
this:
VirtualHost *:80>
ServerName www.example.com
Redirect permanent / https://SquidPublicIP/
</VirtualHost>
Just trying to understand how this would work. Thanks Again.
> >
> > We use RH 6.x which comes with squid 3.1. Thanks for any feedback.
>
> For your particular use a build of that with OpenSSL support should be
> okay. But if you can, an upgrade to more recent version would be better
> as there have been some important OpenSSL and TLS protocol changes since
> 3.1 was designed.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list