On 17/11/17 20:33, Bernhard Dübi wrote:
Hi,
I try to configure squid for a very special usecase but can't get it
to work. So, if you could give me some hints on how to do it right,
that would be great
Here's what I try to achieve:
the browser has proxy:8080 configured as manual proxy
from the browser I access some websites
when the request is plain http then the reply must be a redirect to https
when the request is https then the ssl connection must be termintaed
on the proxy and the request must be forwarded as http to the
application server
A forward/explicit proxy like yours is required to ensure that the
security level of traffic remains unchanged across both client and
server connections. Never downgraded without explicit knowledge by both
endpoints. Bad problems ensue if you downgrade with either endpoint
thinking it is secure end-to-end.
I know, I could just forget about ssl an go directly the app server
with http bt the customer insists on that particular setup
we use several domains like app1.doma.com, app2.domb.biz, app3.domc.org
in order to return the correct certificate for each request, I need a
dedicated ip:port combination for each certificate
That is only relevant for *reverse-proxy*, not a forward/explicit proxy
like yours.
If you have a explicit TLS connection between the clients and Squid
forward/explicit you only need a certificate confirming Squid's hostname
to the client.
If you are using SSL-Bump to decrypt the HTTPS traffic Squid can
auto-generate certificates on the client connection based on the
upstream server cert details.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users