On tis, 2008-05-06 at 11:37 +0200, Wojciech Durczyński wrote: > I try to set squid as a reverse proxy. Clients should connect via https, > and originserver is via http. Tricky, unless your web server supports having an ssl frontend.. See the front-end-https cache_peer option. > https_port 3129 accel vport protocol=http cert=/root/private/cacert.pem > key=/root/private/privkey.pem The above should be https_port 3129 accel defaultsite=your.website.name cert=/root/private/cacert.pem key=/root/private/privkey.pem > Client shouldn't know anything about address of webserver. > It works well unless webserver generate > HTTP/1.0 302 Moved Temporarily > Location: http://neons_ip:3129/sth neons_ip:3129 is due to your use of vport. vport makes Squid forward the url as http://ip.of.http.port:portnumber/path and many web servers pick this up from the Host header. If you instead set defaultsite=your.website.name the Host header will be the public website name and your webserver will think the proper URL for the request is http://your.website.name/path With front-end-https the webserver additinally has a chance (if it supports the feature) to understand that there is an frontend SSL server taking care of the SSL part and that the requested protocol really is https even if the web server received the request over plain http. If your web server do not support frontend SSL servers then it's often better to set up a dummy ssl port on the web server, using a self-signed certificate and have the https content there. Regards Henrik