> > There's no reason for squid to forward request as https, unless the
> > network
> > between squid and server is untrusted. But in such case, there's usually
> > no
> > need for using squid.
On 12.10 13:27, Joost de Heer wrote:
> I disagree. For one customer, we provide reverse proxy functionality
> (although it's not Squid). The customer is divided into smaller fractions,
> some of which don't trust the rest. So they want the internal traffic to
> go via https too.
What exactly you don't agree with? That "unless" or "usually"?
> Because the backend network is a private WAN, we do need the reverse proxy
> on the DMZ to publish the site.
You didn't describe the network structure and logic deeply enough.
However, what I am repeating here is, that the difference between this:
client ====> server
HTTPS
and this:
client ====> proxy ====> server
HTTPS HTTPS
network structure is, that second one has one more weak place - the proxy.
Although the second structure CAN work and possibly DOES work somewhere,
it MAY be just a result of wrong decision or implementation
-- Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouseReceived on Wed Oct 12 2005 - 06:14:24 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:04 MST