Re: [squid-users] HTTPD reverse proxy

From: Neil A. Hillard <hillardn@dont-contact.us>
Date: Wed, 12 Oct 2005 14:03:47 +0100

Hi,

Matus UHLAR - fantomas wrote:
>>> There's no reason for squid to forward request as https, unless
>>> the network between squid and server is untrusted. But in such
>>> case, there's usually no need for using squid.

> On 12.10 13:27, Joost de Heer wrote:
>> I disagree. For one customer, we provide reverse proxy
>> functionality (although it's not Squid). The customer is divided
>> into smaller fractions, some of which don't trust the rest. So they
>> want the internal traffic to go via https too.

> You didn't describe the network structure and logic deeply enough.
>
> However, what I am repeating here is, that the difference between this:
>
> client ====> server
> HTTPS
>
> and this:
>
> client ====> proxy ====> server
> HTTPS HTTPS
>
> network structure is, that second one has one more weak place - the proxy.
> Although the second structure CAN work and possibly DOES work somewhere,
> it MAY be just a result of wrong decision or implementation

There are a couple of reasons that I can think of that require this
configuration:

1) Where you don't trust the security of the connection between the
reverse proxy and backend web server and

2) Where the backend web server insists on generating URLs based on the
protocol used to communicate with it. e.g. https to the reverse proxy,
http to the web server and it generates HTML with http:// URLs.

I have had to deal with the second one personally. I used squid
initially and it worked as required so I know it is possible.

We moved away from squid as a reverse proxy to Apache with mod_proxy,
mod_rewrite and mod_proxy_html (from Nick Kew). This allows us to fully
rewrite the HTML from the backend web server and change links for
external access. This way we can consolidate multiple backend servers
into a single certificate and we use strong authentication so this
ensures that the users only have to authenticate once.

We still use squid as a forward proxy for at least 1500 users.

HTH,

                                Neil.

-- 
Neil Hillard                    hillardn@whl.co.uk
Westland Helicopters Ltd.       http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
             views of Westland Helicopters Ltd.
Received on Wed Oct 12 2005 - 07:05:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:04 MST