Re: squid as accel for SSL possible?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 21 Jun 1998 13:37:40 +0200

Daniel Schild wrote:

> But if you use the squid in normal cache mode it works. Maybe it
> is as I mentioned and this little accel-thing just does a URL
> rewrite and the main part is the same as in caching mode? Then
> it should be possible to handle the SSL stuff ... n.b., if I can
> not get an SSL accel or some other stuff I will simply use squid
> as a cache 'cause this works with SSL.

Squid can only handle SSL when the browser is configured to use it as a
proxy. Even then it knows nothing more than the server name (and port)
contacted by the browser. Everything else is encrypted in the
SSL-tunnel.

When a browser KNOWS that it is using a proxy, it encapsulates SSL in
HTTP by using a method called CONNECT. All this method does is to set up
a fully connected TCP channel to the server/port indicated by the
CONNECT method, then the browser & server negotiates SSL on this TCP
channel.

You can't cache or decode SSL documents in between the client and the
server. The whole idea in SSL is to protect against "man in the middle"
and network sniffing attacks.

If you are building a HTTP accelerator and needs to be able to support
SSL as well as HTTP then the easiest way to do this is to use a separate
TCP plug daemon that transparently duplicates the real servers SSL port
on the accelerator machine. Then when the client connects to the SSL
port on the accelerator machine it is transparently relayed to the real
server by the TCP plug daemon.

A alternative to use a TCP plug is to use some kind of NAT technology (A
TCP plug is a kind of specific-purpose application-level NAT device).

---
Henrik Nordström
Sparetime Squid Hacker
Received on Sun Jun 21 1998 - 05:04:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:40:46 MST