Search squid archive

Re: SQUID3 configuration in accelerator mode (reverse proxy)  http and https

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



sön 2006-07-16 klockan 21:24 +0200 skrev gwaa:
> Hello List,
> I try to setup with SQUID3:                                                                                                   
> HTTP[internet:80]<-->[80:NATfirewall:3128]-->[SQUID3:80]<->[80:multiples web 
> servers: IN LAN]

ok.

> HTTPS[internet:443]<-->[443:NATfirewall:10443]-->[SQUID3:443]<-->[443:multiple 
> web servers IN LAN]

ok, kind of... running a SSL domain based virtual host requires the use
of a wildcard certificate which most CA:s either won't give you or
charge you a ridiculous sum for..

> Just to try HTTP accelerator mode, i insert in /usr/local/squid/etc/squid.conf 
> 
> http_access allow our_networks
> http_access allow all
> http_port 3128 accel vhost vport=80

Should read

http_port 80 vhost defaultside=your.main.site
https_port 443 vhost defaultsite=your.main.site key=/path/to/ssl_key.pem cert=/path/to/ssl_cert.pem

> acl http proto http
> acl port3128 port 3128

Why port 3128?

> acl domains_server1 dstdomain .domaine1.com .domain2.com

ok.

> cache_peer 192.168.2.2 parent 3128 0 no-query originserver name=www-servers

Kind of.. should be one per web server, or none.. and ports and options
need to match what the server uses. 3128 does not look right..

> cache_peer_access www-servers allow domains_server1

Ok, except that it should consider if it's http or https...

> http_access allow http port3128 domains_server1

Ok, assuming the port3128 ACL gets redefined proper.

> always_direct allow domains_server1

Don't..

Or if you do that, don't define any cache_peers. But the cache_peer
based request forwarding is generally more flexible, especially if you
want to add redundancy to some web servers etc.

> But i always have this error:
> While trying to retrieve the URL: http://www.domain1.com/ 
>  The following error was encountered: 
>  Access Denied.  

Your current http_access rule is the culpit.. vport=80 makes the
reconstructed URLs all use port 80, while your http_access rule looks
for port 3128...

Regards
Henrik

Attachment: signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux