Forward caching proxy for a HTTPS server?

Suppose we have a CVMFS stratum server (actually S3 object storage) that is only available via HTTPS, not HTTP.
We want to access it via forward caching proxies as usual, for a CVMFS data repository.

As far as I can tell, the only way to do that involves the “SSL bumping” feature
However that involves security practices we would consider unacceptable.
We would like to be able to use the object storage for a public repository, working with all the standard caching proxies that people already have set up, preferably without needing much or anything in terms of extra proxy config.

I can envision that the following might be technically possible:
a client requests http://s3/datafile via a proxy only (as DIRECT would not work)
the proxy has some configuration telling it, for that origin server, it has to connect via HTTPS
the proxy fetches https://s3/datafile , caches the content, and returns the HTTP response (TLS headers etc. stripped off) to the client

However I am not sure if any functionality exists like that in squid, at least I could not find any information about it. @dwd ?
If it is, it would be an option for forward or reverse proxy caching.

Of course if we had a frontend or reverse proxy to the object storage that was HTTP, that would take care of that part of the problem, but it might be a bottleneck or be less resilient compared to the object storage cluster itself.


Hi Ryan,

I haven’t tried doing what you want to do, but perhaps a url_rewrite_program could be used for that. I know people who have successfully used that for other purposes.