Re: [squid-users] problem to configure reverse proxy

From: Pascal Bourdais <pbourdais_at_chez.com>
Date: Thu, 14 Apr 2011 12:28:42 +0200

Le Fri, 25 Mar 2011 22:44:54 +1300,
Amos Jeffries <squid3_at_treenet.co.nz> a �crit :

Hi,

Thank you for your answer, and sorry for the very late answer, i've
been out for a very long time.

> On 25/03/11 22:09, Pascal Bourdais wrote:

>
> > I follow the doc at :
> > http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
> > but it give 1 certificate for 2 sites, and thus the certificat is not
> > valid when i access the sites.
>
> The point of using a wildcard is that is *is* valid for more than one
> domain. It says to the client that it is valid for all *.example.com
> domains hosted by that server.
>
> If they are not sub-domains then you will need a chained certificate
> (X.509 aliases), or a separate port for each HTTPS receiving domain.

They are all differents domain, i look for this later.
I have the site I want working, the https for the others are still with
apache.

All the wrap are done by my mua. And I correct my config as you suggest.

Is there a way to let them as this, and just let squid act as a switch
between several https sites ?

Pascal

<...>
> >
> > === squid.accel.conf ===
> > ## Sites http
> > http_port 80 accel defaultsite=A vhost
> >
> > cache_peer 192.168.13.10 parent 80 0 no-query no-digest originserver
> > name=serveur1 login=PASS
> >
> > acl sites_serveur1 dstdomain A B C D E
> > http_access allow sites_serveur1
> > cache_peer_access serveur1 allow sites_serveur1
> > cache_peer_access serveur1 deny all
> >
> > http_access allow sites_serveur1
> > miss_access allow sites_serveur1
> >
>
> Looks good.
>
> >
> > ## Sites https
> > https_port 443 cert=/usr/local/newrprgate/CertAuth/testcert.cert \
> > key=/usr/local/newrprgate/CertAuth/testkey.pem defaultsite=G vhost
> >
> > acl A_gi urlpath_regex ^/cgams
> > acl sites_cgams dstdomain G H
> >
> > cache_peer 192.168.13.10 parent 443 0 no-query no-digest originserver
> > name=cgams login=PASS
>
> > cache_peer_access cgams deny A_gi
>
> Watch the wrap on that (it is two lines).
>
> > cache_peer_access cgams allow sites_cgams
> >
> > cache_peer 192.168.1.21 parent 80 0 no-query no-digest originserver
> > forceddomain=dom name=gi
>
> > cache_peer_access gi allow A_gi
>
> Watch the wrap on that (it is two lines).
>
> This says that *any* domain A B C D E G H and *F* which starts the URL
> with /cgams may go to this peer.
>
> I think you want to replace that above "allow A_gi" line with:
>
> cache_peer_access gi allow sites_cgams A_gi
>
> > cache_peer_access gi deny all
> >
> > http_access allow sites_cgams
> > miss_access allow sites_cgams
> >
> > ## Sites OWA
> > cache_peer 192.168.13.44 parent 80 0 no-query no-digest originserver
> > name=xxx80
>
> (mind the wrap again. above is one line, below is a second.)
>
> > cache_peer 192.168.13.44 parent 443 0 no-query no-digest
> > originserver connection-auth=on login=PASS front-end-https=on name=xxx
> >
> > acl OWA dstdomain F
> > cache_peer_access xxx allow OWA
> > cache_peer_access xxx80 allow OWA
>
> What you have here is that *either* port 80 or port 443 may be used to
> pass traffic to OWA. The port 80 is preferred (listed first), with 443
> as a failover backup if that goes down or gets flooded.
>
> What I think you want is this:
>
> acl HTTPS proto HTTPS
> cache_peer_access xxx allow OWA HTTPS
> cache_peer_access xxx80 allow OWA !HTTPS
>
>
> That will keep the received port 80 and port 443 traffic going to the
> matching OWA ports.
>
> Amos

-- 
P.Bourdais
Infagri
Rue Albert Einstein
Parc Technopole de chang�
Bp 26116
53061 Laval Cedex 9
T�l: 02.43.49.84.40
Received on Thu Apr 14 2011 - 10:31:11 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 15 2011 - 12:00:03 MDT