You may claim that you are only interested in encryption, not authentication. If this is the case, it doesn't really matter. If you are transferring sensitive information. This is doubly true if you don't intend to get your certificate signed by a known CA. For non personal use, however, I would reconsider this. See http://www.counterpane.com/crypto-gram-0302.html#8 for Bruce Schneir's opinion about the matter.
Shachar
gili gili wrote:
Hi list,
First of all thanks for taking interest in my case :-)
The second thing is that it WORKS!!!
This is the configuration:
1) Squid-2.5.STABLE2 (in the compilation you need to add ssl option)
2) After that there are some changes in the /where/is/squid/etc/squid.conf
2.a) http_port 80 # Port of Squid proxy
2.b) httpd_accel_host AAA.BBB.CCC.DDD # IP address of web server
2.c) httpd_accel_port 80 # Port of web server
2.d) httpd_accel_single_host on # Forward uncached requests to 2.e) single host
2.f) httpd_accel_with_proxy on
2.g) httpd_accel_uses_host_header off
3) For the SSL tunneling need to add:
3.a) https_port 443 cert=/where/is/squid/etc/test_cert.pem key=/where/is/squid/etc/test_key.pem
3.b) and to generate some certificate for the SSL:
#: openssl req -new -x509 -nodes -keyout test_key.pem -out test_cert.pem
And, to make all of this work, one more thing… U will need to change the in DNS’s that the squid in your “web-server” www.mysite.com 212.200.20.2 www.mysite2.com 212.200.20.2 www.mysite3.com 212.200.20.2
212.200.20.2 = is the ip of the squid
In the squid machine U will need to add an entry in your DNS/hosts file for every server.
www.mysite.com 172.10.1.1 www.mysite2.com 172.10.1.2 www.mysite3.com 172.10.1.3
That’s it...
I intend to integrate in all of this one more squid machine and to use some high availability option like WCCP to use as “squid cluster”
And maybe to use the LVS (Linux Virtual Server) http://www.linuxvirtualserver.org/
Thank you all for helping me!!!
Thanks Nadav for the tip on the “Radware's SSL Accelerator” I’ll use it :-)
P.S: I’m sorry for the “SLL” mistake, it’s the late hour and all...
From: "Nadav Har'El" <[EMAIL PROTECTED]> To: gili gili <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED] Subject: Re: SLL gateway Date: Wed, 26 Mar 2003 15:10:18 +0200
On Tue, Mar 25, 2003, gili gili wrote about "SLL gateway":
> I’m trying to set up a SLL gateway, what I mean is to create one server,
> and behind him all my http & https server. The client connect to the “SLL
> gateway” in https, the “SLL gateway” unwrap the https read the http header,
> My questions are:
> 1) Is this architecture looks reasonable, or am I fighting windmills???
I don't know if this is possible in squid, I never actually tried to use
Squid with SSL, but it is certainly possible to run Apache + Mod_ssl in the
mode you describe (if I understood correctly what you described).
Another thing you'll need to worry about is that SSL work, especially the
server-side RSA, is pretty slow, so unless you get a hardware acceleration
card for SSL, the performance of this setup might disappoint you.
Several companies also sell integrated devices which do the things you
describe, which are called "SSL accelerators", and are probably better
in performance, scalability, and security than some setup you'll concoct
yourself in an afternoon.
One of these companies is Radware (www.radware.com), an Israeli company I
work for; Radware's SSL Accelerator is called "CertainT 100".
> 3) If any one tried this kind of things (SLL reveres proxy, SLL wrappers,
> etc), can U give me some millstones?
"Stunnel" is a decent SSL wrapper. It might, or might not, be enough for your needs.
P.S. It's "SSL" (Secure Socket Layer), not SLL.
--
Nadav Har'El | Wednesday, Mar 26 2003, 22 Adar II 5763
[EMAIL PROTECTED] |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |I planted some bird seed. A bird came up.
http://nadav.harel.org.il |Now I don't know what to feed it...
-- Shachar Shemesh Open Source integration consultant Home page & resume - http://www.shemesh.biz/
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
