[squid-users] Does Squid support client ssl termination?
Grant Taylor
gtaylor at tnetconsulting.net
Tue Nov 1 16:44:48 UTC 2022
On 10/31/22 7:32 PM, mingheng wang wrote:
> Sorry about that, don't know why it only went to you.
Things happen. That's why I let people know, in case unwanted things
did happen.
> I delved into the configuration the last few days, and found that
> Squid doesn't officially support cache_peer when ssl_bump is in
> use.
That surprises me. I wonder if it's a technical limitation or an oversight.
> Actually, I can't find a single tool in the market that can
> just encrypt any HTTP connection, "converting" it to an HTTPS
> connection. I'm reading RFCs and documentation to write my own proxy.
That really surprises me.
It's not a general proxy, but this seems like something that stunnel
will do. (Either direction HTTPS <-> HTTP and HTTP <-> HTTPS.)
> This is what still confuses me. A reverse proxy is supposed to proxy
> a web site. At least that's what I learnt from Nginx and Haproxy's
> documentation. I'll read more on this when I have time.
I think of forward and reverse proxies as doing quite similar things
with the primary difference being where in the path they are and how
many sites will be accessed.
Forward: (C)---(P)---(Big Bad Internet)---------(S)
Reverse: (C)---------(Big Bad Internet)---(P)---(S)
Both take requests from clients and pass them to (what the proxy thinks
is) the server.
But with the forward proxy interfacing between relatively few clients
and significantly more servers.
Conversely the reverse proxy interfaces with significantly more clients
and relatively few servers.
The reverse proxy tends to be explicitly configured where servers are
while the forward proxy relies on standard name resolution to find them,
usually DNS.
So, on one level, what the forward and reverse proxy do is similar, but
how they do it is subtly different.
Then there's this:
Both: (C)---(P)---(Big Bad Internet)---(P)---(S)
Where in both a client side forward proxy /and/ a server side reverse
proxy are in use. }:-) This really is just both technologies being
independently used at each end.
> Very tough network environment. They can even somehow detect a
> confidential file going through the gateway, even with TLS.
I'm not going to ask questions.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221101/9ab61293/attachment.bin>
More information about the squid-users
mailing list