Thanks for your answer.
I tried this, but it doesn't solve my problem.
Web server should be hidden from outer network. But when using
defaultsite - client tries to connect with this server directly!
Redirect requests from server aren't changed by squid when passed to
client. And they should be.
Using dummy ssl port on the web server works well, but squid should
allow redirecting https->http without problems.
Henrik Nordstrom pisze:
On tis, 2008-05-06 at 11:37 +0200, Wojciech Durczyński wrote:
I try to set squid as a reverse proxy. Clients should connect via https,
and originserver is via http.
Tricky, unless your web server supports having an ssl frontend.. See the
front-end-https cache_peer option.
https_port 3129 accel vport protocol=http cert=/root/private/cacert.pem
key=/root/private/privkey.pem
The above should be
https_port 3129 accel defaultsite=your.website.name
cert=/root/private/cacert.pem key=/root/private/privkey.pem
Client shouldn't know anything about address of webserver.
It works well unless webserver generate
HTTP/1.0 302 Moved Temporarily
Location: http://neons_ip:3129/sth
neons_ip:3129 is due to your use of vport. vport makes Squid forward the
url as http://ip.of.http.port:portnumber/path and many web servers pick
this up from the Host header.
If you instead set defaultsite=your.website.name the Host header will be
the public website name and your webserver will think the proper URL for
the request is http://your.website.name/path
With front-end-https the webserver additinally has a chance (if it
supports the feature) to understand that there is an frontend SSL server
taking care of the SSL part and that the requested protocol really is
https even if the web server received the request over plain http.
If your web server do not support frontend SSL servers then it's often
better to set up a dummy ssl port on the web server, using a self-signed
certificate and have the https content there.
Regards
Henrik