It could be done in theory look below
On Sat, 6 Nov 1999, Paul Boyer wrote:
> Dave J Woolley wrote:
> >
> > > I will try to keep this specific to Squid. My question is: does Squid
> > > have
> > > anything at all, whatsoever, to do with SSL requests coming to its own
> > > SSL port? If the answer is no, then I need to find out about Checkpoint 1
> > >
> > As far as I know, squid has no SSL port. It certainly
> > has no code that can decrypt SSL.
>
> MS-Proxy is able to receive a SSL connection, decrypt it by itself, and
> reverse proxy it to a Web server.
>
> MS-proxy uses the IIS a bility to do SSL.
>
> Now, the question is : What is the solution to get this working on a
> Linux environment :
>
>
> web client ----HTTPS----> reverse proxy ------HTTP-----> Web server
>
> This is the only way I know of to to content filtering on a SSL link.
>
> That could also be used for :
>
> web server <----HTTPS 1--- ssl/clear content-filtering (Anti Virus)
> clear/ssl <---HTTPS 2-----
>
> HTTPS 1 and HTTPS 2 _DO_NOT_ share the same key.
>
> Does anyone have a clue on how such kind of a solution can be built on
> Linux, using Squid, Apache, or any other GPL tool ?
A) in apache alias everything to the one script (not sure how its done but
it's doable - if you ask I can find out as I do it for a web redirection)
B) you then need a ascript which passes to another web server exactly the
GET/POST/WHATEVER METHOD THAT IS USED + headers you ant passed thru to
form a new http request to a backend server - then whatever it returns
your return. (it could be written as an apache module too = faster?)
(if you want to pass 404's and the like thru as well use a nph-scriptname
to do that job fr you as you can specify all the headers.
That would be pretty much it, BUT it would be far easier to install
mod_ssl (unless it's a specialised web server which does not do ssl) on
the backend web server and use some tcp plug to pipe traffic on port 443
to the backend server.
basically the point is that whereever it going to be decrypted you will
need a web server capable of talking ssl.
(as far as trying to do content filtering in the proxy forget it ssl
can not be snooped upon (otherwise it wouldn't be secure :-))
Jeff
Received on Fri Nov 05 1999 - 18:29:19 MST
This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT