RE: [squid-users] SSL Reverse Proxy

From: Dwyer, Simon <[email protected]>
Date: Fri, 12 Oct 2007 09:18:44 +1100

Thanks Amos, Matus and Shekhar.

It seems I forgot to put in the login=PASS which may have caused the error.
I also fixed up my host file and started squid with -D.

Thanks again,

Simon Dwyer

-----Original Message-----
From: Amos Jeffries [mailto:squid3@treenet.co.nz]
Sent: Thursday, 11 October 2007 11:11 PM
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] SSL Reverse Proxy

Shekhar Gupta wrote:
> Hi Simon,
>
> I am just sharing my config which i have done it for my SSL Reverse
> Proxy for one of the site which is hosted on port 80 , One more thing
> is i am runni ng squid with
> -D option whcih tells squid not use DNS for name resolution , at the
> same time i am making the entries in /ets/hosts file for the site .
>
> https_port 443 cert=/Path to Certificate/testcert.cert key=/Path to
> Key/testkey.pem defaultsite=mywebsite.mydomain.com vhost
>
> cache_peer 10.112.62.20 parent 80 0 no-query originserver login=PASS
> name=websiteA.mydomain.com
> acl sites_server_1 dstdomain websiteA.mydomain.com
> cache_peer_access websiteA.mydomain.com allow sites_server_1
> cache_peer 10.112.143.112 parent 80 0 no-query originserver login=PASS
> name=mywebsite.mydomain.com
> acl sites_server_2 dstdomain mywebsite.mydomain.com
> cache_peer_access mywebsite.mydomain.com allow sites_server_2
> acl webserver dst 10.112.62.20 10.112.143.112
> http_access allow webserver
> http_access allow all
> miss_access allow webserver
> miss_access deny all

Try without this miss_access.

Also, try with general http(s) access permitted to the accelerated sites.

Amos

> http_access allow manager localhost
> http_access deny manager
> http_access deny all
>
> In the above config i am hosting 2 website which is running in my LAN
> to publish outside using SSL proxy . Also in /etc/hosts i am making 2
> entries for this
>
> 10.112.62.20 websiteA.mydomain.com websiteA
> 10.112.143.112 wywebsite.mydomain.com mywebsite
>
> Let me know if you need any other help .
>
> Regards,
> Sudhir Gupta
> On 10/11/07, Dwyer, Simon <sdwyer@federalit.net> wrote:
>> Ok I have worked out the first issue which was a firewall rule issue.
>>
>> The http version is working fine now but the https one is still having
>> issues. This is what I am getting when browsing to it.
>>
>> ERROR
>> The requested URL could not be retrieved
>>
>> While trying to retrieve the URL: https://<website> /
>>
>> The following error was encountered:
>>
>> * Unable to forward this request at this time.
>>
>> This request could not be forwarded to the origin server or to any parent
>> caches. The most likely cause for this error is that:
>>
>> * The cache administrator does not allow this cache to make direct
>> connections to origin servers, and
>> * All configured parent caches are currently unreachable.
>>
>> Your cache administrator is sdwyer@federalit.net.
>> Generated Thu, 11 Oct 2007 05:21:58 GMT by <proxy>.federalit.net
>> (squid/2.6.STABLE10)
>>
>>
>>
>> -----Original Message-----
>> From: Dwyer, Simon
>> Sent: Thursday, 11 October 2007 4:13 PM
>> To: 'squid-users@squid-cache.org'
>> Subject: [squid-users] SSL Reverse Proxy
>>
>> Hi everyone,
>>
>> First time doing this so if I mess it up don't flame too much ☺
>>
>> I have an internal web server that needs to be reached from the outside
>> world.
>>
>> | Internal web server | <--> | Firewall | <--> | Squid Proxy | <--> |
>> Firewall | <--> Internet
>>
>> Between the web server and the proxy it will be standard http but from
the
>> proxy to the internet it will be https. I have purchased a cert for the
>> domain used and generated all the stuff needed on the squid server for
that
>> using openssl.
>>
>> I think these are the two relevant lines in my config.
>>
>> https_port 443 accel cert=/<path to cert>/cert.crt key=/<path to
>> key>/key.key defaultsite=<website> vhost
>>
>> cache_peer reports2.federalit.net parent 2002 0 no-query originserver
>> name=reports.federalit.net
>>
>> I know 2002 is a funny port but that's what the windows people have this
>> site running on.
>>
>> I also added the line
>>
>> http_port 80 accel defaultsite=reports.federalit.net vhost
>>
>> to see if I could get it working over just HTTP but that does the same
>> thing.
>>
>> It just sits there and times out very slowly...
>>
>> Any ideas would be great,
>>
>> Cheers,
>>
>> Simon Dwyer
>> Technology Services Group
>>
Received on Thu Oct 11 2007 - 16:18:59 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT