Unless I misunderstood you, I'm afraid your network setup is a little naive. If you want a proxy that will receive URLs in the form of "https://server1/foo";, "https://server2/bar";, etc, unwrap the SSL, and send it on, you have the wrong setup in mind.
SSL is a layer between layer 5 (in your case - http) and layer 4 (TCP). As such, it does it's job without knowing about the inner protocol of the higher layer (HTTP). This would not have been too great an issue had the host name you are connecting to not been a crucial part of the authentication part of SSL. In order to agree to connect to a site without a warning, the Organization Unit of the SSL certificate must match, letter for letter, the host name you requested. Since SSL authentication takes place before the server even knows what hostname you requested, you cannot place several SSL sites with different names on the same IP and port. This includes a reverse proxy setup, like you are trying to do.
Having said that, the question pops up what is a HTTPS proxy then. The answer is that this is a forward proxy only, and it creates a tunnel between the client and the server. This is turned off by default on all self respecting proxies, as it (by default) allows access to all machines the proxy has access to, on all ports, and thus bypasses a firewall if one exists. You can turn it on with a configuration option, but it would still not do what you are trying to do.
One thing that does resemble what you are trying to do is "stunnel". It does exactly what you want, only you have to tell it in advance which IP and port to forward the unencrypted connection to. As explained earlier, this request is inherent to the design of SSL.
One thing you may be able to do is distinguish the servers based on URL, rather than host name. This means that the different serves will have URLs that look like this:
https://name/server1/foo
https://name/server2/bar
I'm not sure whether squid will do this to you, but I'm confidant that apache in proxy mode will do that (plus SSL unwrapping). If you are interested in hiring someone to help with that, you are welcome to have a look at my sig.
Shachar
gili gili wrote:
Hi List,
I’m trying to set up a SLL gateway, what I mean is to create one server, and behind him all my http & https server. The client connect to the “SLL gateway” in https, the “SLL gateway” unwrap the https read the http header, and direct it to the right server.
[Client] ---HTTPS---> [Squid machine] ---HTTP---> [http servers apache + II$]
I compiled the latest squid version (squid-2.5.STABLE2) whit SLL support. As I read in the man, this version includes the SLL patch inside...
For normal http sessions the squid is grate (the squid guys call this kind of configuration “http accelerator”), the problem starting when I starting an https session, the squid doesn’t do the same thing as he did whit the http, he just drop it!!!
My questions are:
1) Is this architecture looks reasonable, or am I fighting windmills???
2) Can any one can advise my where to find manuals on the specific subject, I searched google, but, the only related subjects are old and doesn’t concern the SLL patch...
3) If any one tried this kind of things (SLL reveres proxy, SLL wrappers, etc), can U give me some millstones?
Thanks in advance, Gili
-- Shachar Shemesh Open Source integration consultant Home page & resume - http://www.shemesh.biz/
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
