Best way to serve HTTPS content via Squid?

froddy · 2014-01-28 12:55:36 UTC

Is there a best way to set up Squid (when a reverse proxy) if you have an Apache webserver and want some matrix content served as HTTPS to the public?

I could either set up Squid to listen on 443 but talk to Apache on port 80 and get Squid to do the SSL encryption as the content passes through or should I be forwarding all https traffic through Squid directly to Apache with Apache doing the SSL encryption bit - if so what do you put in the Squid config?

Finally will either method described cache the content from matrix? Obviously I don't want forms or other user specific information cached but if the page is just sensitive content but not user specific that might be worth doing?

Any advice appreciated.

rwahyudi · 2014-02-25 05:31:04 UTC

Its better to terminate SSL in squid and have plain HTTP connection to matrix backend if you trust the network.

The config is similar to the standard reverse proxy, but you use https_port instead of http_port ( see : http://www.squid-cache.org/Doc/config/https_port/ )

Make sure you enable front-end-https in the cache peer directive and set this variable accordingly in matrix backend.

Squid pay attention to HTTP cache control headers (Pragma, Expires, Cache-Control and Vary) and you can control these from matrix.

froddy · 2014-03-11 20:15:24 UTC

Much appreciated, that's what I was hoping. Can you please explain what the front-end-https bit does in the cache peer directive and how to set this variable accordingly in matrix backend?

Many Thanks

Micky_Gough · 2014-04-30 06:22:48 UTC

Hi Froddy,

Most of the information you're looking for can be found here:

http://manuals.matrix.squizsuite.net/system-configuration/chapters/proxy-configuration#SSL-Accelerator-Configuration

Let me know if you have any questions after you've looked at that.