On Thu, Feb 01, 2007 at 11:08:28PM +0000, Dean Earley wrote:
> Hi all.
>
> I'm aware that both Squid and Apache can be used as reverse HTTP proxys
> (not done it myself though), but can either act as an HTTPS interface to
> a plain old HTTP server?
>
> This is to add on HTTPS support to some software that only (currently)
> supports HTTP/1.0.
I have done this using squid before. The line to enable HTTPS in the squid.conf:
https_port 443 cert=/path/to/cert/
www.unixnation.net.crt key=/path/to/key/
www.unixnation.net.key options=NO_SSLv2
This specifies the HTTPS port and the path to your certificate and key files.
I turn off SSLv2, using only SSLv3 and TLSv1.
If you are using the reverse proxy functionality, you may want to limit URLs:
http_access allow CONNECT SSL_ports
acl valid_urls url_regex "/etc/squid/valid_urls"
http_access allow valid_urls
The above access control allows the CONNECT http access type to your SSL port.
The acl valid_urls creates a acl called valid_urls, using a regex to parse a file. http access is then allowed to these valid URLs.
This will prevent people abusing your reverse proxy.
It would be worth checking through the docs, especially if you are using 2.6
The configuration I have is used with squid/2.5.STABLE13 and I can't shake the
feeling I've mised something off, but it wsa 2 years ago I set this up.
Cheers,
Steve
