Re: reverse proxying of ssl
> On Wed, 2002-06-19 at 18:43, Lance Levsen wrote: > > > Best case scenario is a single certificate authenticated to the > > proxy box, for external connections. Chances are I'll end up > > hoping that Squid 2.5 allows for multiple SSL certs on the same > > port so then I can ssl all the websites off the proxy. > > If you're lucky and all of the sites are in the same domain then you > could use a wildcard certificate. > > Fraser That's doable and I never knew you could get *.x.xx certs. Thank you. Cheers, -- Lance Levsen, Systems Administrator, PWGroup - Saskatoon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse proxying of ssl-UPDATE
Went to #apache and was received very nicely by the natives. They say the magic is in apache2 or latest mod_ssl of 1.3.26 i dl'd made and made installed it and voila. it does the trick...very very very nice... (have NOT tested IIS yet) Alex El mié, 19-06-2002 a las 16:43, Lance Levsen escribió: > > > I want this: > > > > ssl-certificate <--fw--> apache (whatever) reverse proxy <-->client > > holding IIS > > > > > > Is this possible?? For me to reverse proxy a ssl server??? I dont > > care if the proxy is accessed as http or https, i just want it to work > > this way... > > > > Alex > > Heh, funny this should come up. I'm in the process of figuring > it out myself. > > My setup is a bit different though: > > Multiple Apache Boxes <--> reverse proxy w/ redirector <--> > fw <-> client. > > Right now the fw port forwards 80 to the r.proxy, the redirector > rewrites the body of the request for the correct internal > machine. Obviously an ssl encrypted body can't be rewritten (or > parsed for that matter) so I have to decrypt it at the proxy. > > Squid 2.5 allows you to set https_port with a certificate. This > will encrypt the session between the client and the proxy. I'm > less worried about the internal network. The problem of course > lies in the redirector and the signed cert for the web sites. Do > I just get one signed for the proxy machine, or do I need > multiple certs for all the websites (and if so, can more then > one cert be assigned to the same port and will squid know which > to use?) > > Best case scenario is a single certificate authenticated to the > proxy box, for external connections. Chances are I'll end up > hoping that Squid 2.5 allows for multiple SSL certs on the same > port so then I can ssl all the websites off the proxy. > > Cheers, > > -- > Lance Levsen, > Systems Administrator, > PWGroup - Saskatoon > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse proxying of ssl
> On Wed, 2002-06-19 at 18:43, Lance Levsen wrote: > > > Best case scenario is a single certificate authenticated to the > > proxy box, for external connections. Chances are I'll end up > > hoping that Squid 2.5 allows for multiple SSL certs on the same > > port so then I can ssl all the websites off the proxy. > > If you're lucky and all of the sites are in the same domain then you > could use a wildcard certificate. > > Fraser That's doable and I never knew you could get *.x.xx certs. Thank you. Cheers, -- Lance Levsen, Systems Administrator, PWGroup - Saskatoon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse proxying of ssl-UPDATE
Went to #apache and was received very nicely by the natives. They say the magic is in apache2 or latest mod_ssl of 1.3.26 i dl'd made and made installed it and voila. it does the trick...very very very nice... (have NOT tested IIS yet) Alex El mié, 19-06-2002 a las 16:43, Lance Levsen escribió: > > > I want this: > > > > ssl-certificate <--fw--> apache (whatever) reverse proxy <-->client > > holding IIS > > > > > > Is this possible?? For me to reverse proxy a ssl server??? I dont > > care if the proxy is accessed as http or https, i just want it to work > > this way... > > > > Alex > > Heh, funny this should come up. I'm in the process of figuring > it out myself. > > My setup is a bit different though: > > Multiple Apache Boxes <--> reverse proxy w/ redirector <--> > fw <-> client. > > Right now the fw port forwards 80 to the r.proxy, the redirector > rewrites the body of the request for the correct internal > machine. Obviously an ssl encrypted body can't be rewritten (or > parsed for that matter) so I have to decrypt it at the proxy. > > Squid 2.5 allows you to set https_port with a certificate. This > will encrypt the session between the client and the proxy. I'm > less worried about the internal network. The problem of course > lies in the redirector and the signed cert for the web sites. Do > I just get one signed for the proxy machine, or do I need > multiple certs for all the websites (and if so, can more then > one cert be assigned to the same port and will squid know which > to use?) > > Best case scenario is a single certificate authenticated to the > proxy box, for external connections. Chances are I'll end up > hoping that Squid 2.5 allows for multiple SSL certs on the same > port so then I can ssl all the websites off the proxy. > > Cheers, > > -- > Lance Levsen, > Systems Administrator, > PWGroup - Saskatoon > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse proxying of ssl
On Wed, 2002-06-19 at 18:43, Lance Levsen wrote: > Best case scenario is a single certificate authenticated to the > proxy box, for external connections. Chances are I'll end up > hoping that Squid 2.5 allows for multiple SSL certs on the same > port so then I can ssl all the websites off the proxy. If you're lucky and all of the sites are in the same domain then you could use a wildcard certificate. Fraser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse proxying of ssl
> I want this: > > ssl-certificate <--fw--> apache (whatever) reverse proxy <-->client > holding IIS > > > Is this possible?? For me to reverse proxy a ssl server??? I dont > care if the proxy is accessed as http or https, i just want it to work > this way... > > Alex Heh, funny this should come up. I'm in the process of figuring it out myself. My setup is a bit different though: Multiple Apache Boxes <--> reverse proxy w/ redirector <--> fw <-> client. Right now the fw port forwards 80 to the r.proxy, the redirector rewrites the body of the request for the correct internal machine. Obviously an ssl encrypted body can't be rewritten (or parsed for that matter) so I have to decrypt it at the proxy. Squid 2.5 allows you to set https_port with a certificate. This will encrypt the session between the client and the proxy. I'm less worried about the internal network. The problem of course lies in the redirector and the signed cert for the web sites. Do I just get one signed for the proxy machine, or do I need multiple certs for all the websites (and if so, can more then one cert be assigned to the same port and will squid know which to use?) Best case scenario is a single certificate authenticated to the proxy box, for external connections. Chances are I'll end up hoping that Squid 2.5 allows for multiple SSL certs on the same port so then I can ssl all the websites off the proxy. Cheers, -- Lance Levsen, Systems Administrator, PWGroup - Saskatoon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
reverse proxying of ssl
Okay debian friends, I want this: ssl-certificate <--fw--> apache (whatever) reverse proxy <-->client holding IIS Is this possible?? For me to reverse proxy a ssl server??? I dont care if the proxy is accessed as http or https, i just want it to work this way... Alex -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]