On Mon, 13 Dec 2004, David Delamarre wrote:
you are right i tried reverse with ssl between client and reverse proxy ans it is working but if i need a certificate to authenticate to the backend servers is not working ....
I am starting to feel like a parrot now.
If you need a personal client certificate to authenticate to the backend server you only have the alternative of somehow publishing the web servers SSL port directly on the Internet. This because for the certificate exchange to take place the client must talk to the SSL of your web server, not an surrogate server such as Squid.
You can use client certificates to authenticatie to Squid, sortof, but this won't get forwarded to your backend server and is of quite limited use.
There is at least three means of getting an internal web server port published directly on the Internet if this is what you desire and with all security implications it may have. Neither involves Squid. Squid is a proxy / surrogate server.
- NAT
- TCP plugs such as the redirect method in xinetd (drawback: completely hides client IP, limited logging)
- Making the web server listen on an Internet IP
Regards Henrik
