Support

mistwang · #11 05-04-2004, 01:48 PM

Do you mind sharing the ssl accelerator hardware solution, I am very interested in how it works. Thanks. :-)

I still couldn't believe name based SSL vhost possible.
After reading the squid configuration options you posted and cf.data.pre in squid source code (version 3.0 and 2.5), I think that the client could only get the SSL certificate specified in the squid configuration, but not the SSL certificates used by the backend Apache and the backend Apache only received decrypted requests from squid.

If you don't mind, could you please PM me the SSL web sites configured in this way. I am really interested in such solution.

Thanks.

xing · #12 05-04-2004, 11:08 PM

Actually...BeerCan, are you interested in a cheap but high quality hardware SSL accelerator? I just happen to have 2. =)

1) Intel Netstructure 7280 XML Accelerator
( In reality, it's a http/tcp load balancer AND has builtin dual/2 PCI hardware crypto SSL cards for 600SSL per second)

2) Intel Netstructure 7110 - SSL only and it has one PCI hardware SSL card inside. Rated for 200 SSL/second.

Check out the specs at Intel and let me know if you are interested. You can reach me at xing@fictionpress.com.

bogus · #13 05-14-2004, 06:49 AM

Quote:

Originally Posted by mistwang

I still couldn't believe name based SSL vhost possible.

They are not. Squid associates (ip,port) to certs, as can do LSWS or Apache directly. The exposed configuration allows to centralize all certs in case the backends are on remote machines. In that case, the link between proxy and backend is not (necessary) crypted.

The alternate port solution is not even an alternative to multiple IPs if your clients are corporate : firewalls usually do not allow alternatives to 443.