Re: [squid-users] Proxy and cache of SSL with client auth?

From: Justin Binns <jbinns_at_tap.tv>
Date: Thu, 21 May 2009 09:34:03 -0500

Hmm. I guess I'm not describing what I want to do clearly enough.

The purpose is, as you say, to shove a caching proxy in between the
clients and the server. What I can quite happily do is give the proxy
it's own certificate that is trusted by the server - essentially
delegating responsibility for file distribution to the proxy. Then the
proxy can authenticate the clients and serve the cached data. The thing
I can't seem to make work is getting squid to use a cert when it is
trying to establish a connection to the up-stream server...

Thanks again for any help ;-)

Justin

Matus UHLAR - fantomas wrote:
>>>> This may sound insane, but here goes. I've got a file distribution
>>>> system that relies on client certificate authentication through SSL
>>>> (https) to authenticate clients prior to delivery of files. Typical
>>>> apache with ssl and client cert setup. I have reached a situation,
>>>> however, where it would be convenient to create a tiered system of
>>>> caches of said files. My thought was to use squid to do this as follows:
>
> On 20.05.09 11:35, Justin Binns wrote:
>> I had thought of this as a forward-proxy, because the clients and the
>> proxy server are all on the same network, and the proxy is providing
>> caching for the clients. The purpose of this is to reduce bandwidth -
>> let me provide a more thorough concrete description of the application.
>
> So, your users are authenticating with SSL onto webserver that provides some
> files. You want to push proxy in the middle, that would authenticate using
> their certificateds instead of users. That means that the proxy must know
> their private SSL keys. In such case the SSL authentication is useless, or
> better: makes it impossible. Ordinary authentication is needed.
>
> So, this one auth scheme must be used:
>
> proxy does have the file but provides it to the client only if the client
> passes correct auth info, which is sent to server by the proxy, and server
> replies either with 4xx code, whcih means proxy won't pass cached object to
> the client, or server replies with 302 "not modified" code, so the proxy
> passes the object to client (alternatively, sevrer replies 200 OK, sends the
> object to the proxy...)
>
> Now the question is if HTTP allows that (hopefully yes), and if your server
> supports the 302 reply code.
Received on Thu May 21 2009 - 14:34:08 MDT

This archive was generated by hypermail 2.2.0 : Fri May 22 2009 - 12:00:01 MDT