It does not make sense you encrypt the web pages twice. Why cannot cache a regular page at http port then send out with SSL? I seems to me it won't work with double encryption.You can try it. If you use Windows, 2.6S3 works. Any revision will work on Unix. The following script is to make certificate for Squid on Windows, followed by an example of squid.conf(SSL enabled). I have binary for Windows XP. I compiled it with Cygwin. If you want to install in Unix, it is very easy. Just ./configure --with-openssl=.../openssl/include;make;make install; cd .. squid/var;make cache cd .. squid/sbin; squid -z; squid. Or do a squid -k parse to test the configuration file before you run. c:\openssl\bin\openssl.exe req -new -x509 -keyout c:\squid\etc\demoCA\private\cakey.pem -out c:\squid\etc\demoCA\cacert.pem -days 365 -subj /C=JP/ST=H2iDsZPErqitxps9V86g/L=X8KGZ3iBX5G/OU=wPAV4SQ9ZC8OaSb4S/O=s4R0TH/CN=eO1fsP9t/emailAddress=4mkDvu@xxxxxxxxxxxxxxxxxxxx -passout pass:z4xZcLW2c4Nty c:\openssl\bin\openssl.exe req -new -keyout key.pem -out req.pem -days 365 -subj /C=JP/ST=H2iDsZPErqitxps9V86g/L=X8KGZ3iBX5G/OU=wPAV4SQ9ZC8OaSb4S/O=s4R0TH/CN=eO1fsP9t/emailAddress=4mkDvu@xxxxxxxxxxxxxxxxxxxx -passout pass:z4xZcLW2c4Nty copy key.pem key.pem.old c:\openssl\bin\openssl.exe rsa -in key.pem.old -out key.pem -passin pass:z4xZcLW2c4Nty c:\openssl\bin\openssl.exe ca -in c:\squid\etc\req.pem -out c:\squid\etc\cert.pem -passin pass:z4xZcLW2c4Nty -batch c:\squid\sbin\squid.exe squid.conf http_port 127.0.0.1:80 defaultsite=ddint.org https_port 443 cert=c:\squid\etc\cert.pem key=c:\squid\etc\key.pem defaultsite=breakevilaxis.org cache_peer breakevilaxis.org parent 8800 0 originserver name=futurechinaforum cache_peer ddint.org parent 80 0 originserver name=ddint hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log c:/squid/var/logs/access.log squid debug_options ALL,9 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl breakevilaxis.org dstdomain breakevilaxis.org acl ddint.org dstdomain ddint.org acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access allow ddint.org http_access allow breakevilaxis.org http_access allow localhost http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all http_reply_access allow all icp_access allow all cache_peer_access futurechinaforum allow breakevilaxis.org cache_peer_access ddint allow ddint.org visible_hostname ddint.org coredump_dir c:/squid/var/cache On 9/26/06, Arief Kurniawan <ariefk.milis@xxxxxxxxx> wrote:
I'd like to accelerate our backend HTTPS Server, the SSL Cert. is held by the backend server (IP 192.168.1.1) In squid.conf : http_port 443 vhost cache_peer 192.168.1.1 parent 443 0 originserver name=myapps http_access allow all The question is : - Is the squid.conf above will be able to redirect any request from client to https://192.168.1.1 ? - Or should the squid configured with https_port and obtain another SSL cert ? - Which is better for this purpose, Squid 3 or Squid 2.6 ? any pointer ? Regards, Arief K
