Re: [squid-users] Squid3: https virtual domain redirects

From: Jim Flowers <[email protected]>
Date: Sun, 7 Sep 2003 10:02:43 -0500

> > https_port 443 cert=/usr/local/etc/apache/ssl.crt/server.crt
> > key=/usr/local/etc/apache/ssl.key/server.key accel
> > defaultsite=my.virtualhost.com protocol=http.
>
> Looks fine.

Except it didn't do what I wanted it to do.

>
> > This appears to rewrite everything to http://my.virtualhost.com on
> > its own and does not ever get to the redirect_program instead
> > showing up as an http:// request at my.virtualhost.com on port 443.
>
> Why are you using a redirect program?

Because I actually want to rewrite https://www.abc.com.at.example.com/ to
http://www.abc.com which may be an actual or virtual domain.

>
> The requests should not get forwarded at all unless you for some
> reason forces these direct, and if they are they should end up as
> http://my.virtualhost.com/ (port 80).
>
> There was some minor issues in how Squid-3 handled this some weeks
> ago
> (sometimes getting the port number incorrect on accelerated requests)
> but it should work fine now.

OK, I installed squid-3.0-PRE3 which seems to have that problem solved.

>
> > Can Apache3 be configured as an accelerator rewriting https://
> > requests to http:// name-based virtual domains? How do I get the
> > request to the redirect_program?
>
> This is a Squid list, not an Apache list.

Sorry, I knew that. Just a slip as I am using the Apache SSL keys and
certificates.

>
> If I understand you correctly you want Squid to accept https request
> and forward them to a http server of your choice? If this is the
> case then use something like this:
>
> https_port 443 cert=... key=... accel defaultside=...
> (don't use protocol=)

Interesting, neither accel nor vhost are listed as https_port options and
given the note I thought it was automatic. I am now using vhost with no
defaultsite=... and it seems to work OK for both rewrites and cache_peer
methods.

>
> cache_peer your.http.server parent 80 0 no-query originserver
>
> acl my dstdomain my.virtualhost.com
> cache_peer_access your.http.server allow my

OK, I understand this - sort of. I would usually do:

cache_peer 1.1.1.1 parent 80 0 no-query originserver name=www.example.com
acl my dstdomain www.abc.com.at.example.com
cache_peer_access www.example.com allow my

Are both methods OK or just yours?

>
> If the domain name requested by the browser is different compared to
> the domain name expected by the http server then you have three
> options:
>
> a) Set the defaultsite= to the domain name expected by the web server
> (not recommended.. this should be set to the externally visible
> domain name)

OK, understood.

>
> b) Use a redirector to rewrite the URL while forwarded by Squid
> (this will modify the cache_peer_access requirements accordingly).

OK, I think I can make this work. I have already done so except with
always_direct instead of cache_peer_access.

>
> c) Use the forcedomain= cache_peer option.

OK, understood

One final (ho ho ho :} question: When I rewrite https://accel.com to
http://origin.com and use always_direct allow http://origin.com the browser
(IE6) pops up the message that both secure and non-secure items are going to
be displayed. Any way 'round this?
Received on Sun Sep 07 2003 - 09:02:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:34 MST