Re: [squid-users] squid reverse proxy with ssl: access denied

From: nick humphrey <[email protected]>
Date: Thu, 2 Nov 2006 11:28:40 +0100

i came up with this:
cache_peer 192.168.150 parent 8080 3130 ssl sslflags=DONT_VERIFY_PEER
originserver

but it doesn't seem to work. i just tried following the comment
guidelines in squid.conf for cache_peer, but i'm obviously not doing
this right.
there it says, among other things, that:
"To specify other caches in a hierarchy, use the format"
but i don't have other caches, i'm just trying to redirect traffic to
the one machine, wl81machine.
but if i have to use the cache_peer, then:
is it supposed to be "parent"?
i assume 8080 is correct
i'm confused about the 3130. do i have to make wl81machine listen on
that port? when i try contacting that port on wl81machine with netcat
from deb3machine it says "permission denied"

here's my (updated) squid.conf:
-------------------
https_port 8080 cert=/usr/local/squid/etc/key.crt
key=/usr/local/squid/etc/key.key defaultsite=192.168.0.150:8080
#httpd_accel_no_pmtu_disc on
#visible_hostname minbedrift.no-ip.com
sslproxy_flags DONT_VERIFY_PEER
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8080
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#always_direct allow all
http_access allow manager localhost
http_access deny manager
http_access allow CONNECT localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access deny CONNECT
http_access allow all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
cache_peer 192.168.0.150 parent 8080 3130 ssl
sslflags=DONT_VERIFY_PEER originserver
------------------
the commented out lines are just stuff i've tried in desperation to
see if they'd help (not sure if they do...)

i don't understand why in https_port:
defaultsite=192.168.0.150:8080

has to have the port on it as well, since it is already defined in the
beginning of https_port...

also a dumb question: do i reply to you or just to squid-users? both?
thanks Henrik,
Nick

2006/11/2, Henrik Nordstrom <henrik@henriknordstrom.net>:
> tor 2006-11-02 klockan 08:40 +0100 skrev nick humphrey:
>
> > Ready to serve requests.
> > Failed to select source for 'https://192.168.0.150:8080/'
> > always_direct = 0
> > never_direct = 0
> > timedout = 0
>
> This indicates incomplete accelerator mode configuration, missing the
> cache_peer telling Squid where the origin server(s) is..
>
> Regards
> Henrik
>
>
>
Received on Thu Nov 02 2006 - 03:28:45 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:02 MST