understood. i have the browser to proxy = https working, however i'm not
sure what you mean by DIFFERENT session. i read the Netscape Proxy doc, and
i read about how sslwrap and stunnel can wrap around processes started by
inetd but i'm not sure how this would apply to squid.
seems to me that with the SSL Gatewaying patch, squid understands what to do
with a https request... essentially it takes the encrypted request, decrypts
it, then goes along its way to serve as a client to whatever information was
requested by the browser. so what i guess needs to happen is BEFORE squid
goes on its way, is it needs to somehow make a client https request to the
internal https server and grab the data. then decrypt it, and finally
reencrypt it with the squid cert and back to the browser. does this sound
right?
when you said DIFFERENT session what did you mean? another squid session?
how is this setup? i'm sorta lost now... there doesn't seem to be much info
on stunnel's, sslwraps, or the mailling list regarding this type of setup.
john.
> 3) browser to proxy = https (one session)
> proxy to server = https (DIFFERENT session)
>
> You can never have "transparent" proxying because the entire packet is
> encrypted. The proxy cannot decrypt the packet to find out which server to
> forward to. That's also why you cannot have virtual named servers in web
> servers (one IP address and multiple servers) - some server must decrypt
> the packet to find the virtual server to send the packet to. The packet
> can't be re-encrypted so the whole scheme falls down.
> > so the new question is:
> > 1 - can i use a SSL wrapper (like stunnel or sslwrap) to create the
secure
> > connection i need from SQUIDPROXY to INTERNALRESOURCE?
>
> That should work.
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Thu Feb 22 2001 - 19:24:01 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:09 MST