Using Squid to map non-SSL to SSL / Yusuf Goolamabbas <yusufg@outblaze.com>

Read a few messages in the archives asking if Pound can do redirection
from http to https. I think the following additions to a stock Squid
config should do the trick. Let me know if it works for you

acl port80 myport 80
http_access deny port80
deny_info https://your.server.name.here/ port80

# Basically if a certain ACL is fired and there is a corresponding
# deny_info line, then squid can redirect to the URL mentioned there

# Setup Squid as a reverse proxy

httpd_accel_host 127.0.0.1
httpd_accel_port 80
    
The last two lines to ensure that I enable Squid as reverse proxy
otherwise I get into ACL snafu's. There is nothing listening on
127.0.0.1:80

You can modify the acl/deny_info lines according to incoming IP's so a
single Squid can handle incoming requests for different hosts (each
mapped to an appropiate IP since HTTPS can't do name-based hosts)

BTW, If anybody has access to a Linux or Solaris10 box running AMD64,
would appreciate if you could send me the output of
'openssl speed rsa1024'. 

Hope this helps others, Regards, Yusuf[...]

RE: Using Squid to map non-SSL to SSL - OpenSSL speed
"John Snowdon" <J.P.Snowdon(at)newcastle.ac.uk>

2005-03-18 09:33:11

[ FULL ]

Can't really help any more than to say we use apache to rewrite incoming
addresses without a https prefix. You know what students are like... they'll
bookmark something and they'll never listen to anything saying that its
changed! (was http, now https), they'll just report it as 'broken'.

Anyway, openssl speed:

Box 1
Doing 1024 bit private rsa's for 10s: 9900 1024 bit private RSA's in 10.00s
Doing 1024 bit public rsa's for 10s: 165576 1024 bit public RSA's in 10.00s
OpenSSL 0.9.7d 17 Mar 2004
built on: Wed Aug  4 15:39:10 UTC 2004
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) aes(partial)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-DOPENSSL_NO_KRB5 -DL_ENDIAN -DNO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -O2
-fmessage-length=0 -Wall -fomit-frame-pointer -fno-strict-aliasing -DTERMIO
-Wall -fbranch-probabilities
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
                  sign    verify    sign/s verify/s
rsa 1024 bits   0.0010s   0.0001s    990.0  16557.6
------------
Box 2
Doing 1024 bit private rsa's for 10s: 9846 1024 bit private RSA's in 10.00s
Doing 1024 bit public rsa's for 10s: 163628 1024 bit public RSA's in 10.00s
...
timing function used: times
                  sign    verify    sign/s verify/s
rsa 1024 bits   0.0010s   0.0001s    984.6  16362.8
------------
Box 3
Doing 1024 bit private rsa's for 10s: 9762 1024 bit private RSA's in 9.75s
Doing 1024 bit public rsa's for 10s: 164981 1024 bit public RSA's in 10.00s
...
timing function used: times
                  sign    verify    sign/s verify/s
rsa 1024 bits   0.0010s   0.0001s   1001.2  16498.1
------------
Box 4
Doing 1024 bit private rsa's for 10s: 9990 1024 bit private RSA's in 10.00s
Doing 1024 bit public rsa's for 10s: 164512 1024 bit public RSA's in 10.00s
...
timing function used: times
                  sign    verify    sign/s verify/s
rsa 1024 bits   0.0010s   0.0001s    999.0  16451.2
------------
Box 5
Doing 1024 bit private rsa's for 10s: 9902 1024 bit private RSA's in 10.00s
Doing 1024 bit public rsa's for 10s: 162227 1024 bit public RSA's in 10.00s
...
timing function used: times
                  sign    verify    sign/s verify/s
rsa 1024 bits   0.0010s   0.0001s    990.2  16222.7


Boxes are Sun Fire V20z with dual 248 processors and DDR333 memory. All using
the same openssl version and compile options as the first (online updated RPM
version of OpenSSL from SuSE 9.1 64bit).

Hope that helps