Suppose we have a CVMFS stratum server (actually S3 object storage) that is only available via HTTPS, not HTTP.
We want to access it via forward caching proxies as usual, for a CVMFS data repository.
As far as I can tell, the only way to do that involves the “SSL bumping” feature
https://wiki.squid-cache.org/Features/SslBump
However that involves security practices we would consider unacceptable.
We would like to be able to use the object storage for a public repository, working with all the standard caching proxies that people already have set up, preferably without needing much or anything in terms of extra proxy config.
I can envision that the following might be technically possible:
a client requests http://s3/datafile via a proxy only (as DIRECT would not work)
the proxy has some configuration telling it, for that origin server, it has to connect via HTTPS
the proxy fetches https://s3/datafile , caches the content, and returns the HTTP response (TLS headers etc. stripped off) to the client
However I am not sure if any functionality exists like that in squid, at least I could not find any information about it. @dwd ?
If it is, it would be an option for forward or reverse proxy caching.
Of course if we had a frontend or reverse proxy to the object storage that was HTTP, that would take care of that part of the problem, but it might be a bottleneck or be less resilient compared to the object storage cluster itself.
Thanks!