On Tue, Nov 3, 2009 at 1:16 PM, Brian Mearns <bmearns@xxxxxxxx> wrote: > Several scripts on my server respond differently based on whether or > not they are being accessed with a secure connection. I set up Squid > as an accelerator-cache (reverse proxy) in front of this server, and > all of a sudden these scripts don't detect the secure connection. I > assume Squid is connecting to them over an unsecured connection even > though it is accepting the secure connections. Can someone tell me how > to set up squid to connect securely, or give me hints on which > directives I should look at? I'm not using client certs or anything, > so that's not an issue. > > Thanks, > -Brian Well, I found a solution, though I'm not sure it's the correct way to do it. In addition to adding a separate cache_peer the uses SSL and connects on port 443, I also set up cache_peer_access rules that only allow each cache_peer to be used for the correct connection type. If anyone can comment on this (whether or not it's a good way to do it, or if there are other/better/more-common ways to do it), I would very much appreciate it. #Set up an unsecured port to work in accelerator/reverse proxy mode. http_port 3128 accel defaultsite=brianpmearns.com vhost #Set up a secure port to work in accelerator/reverse proxy mode. https_port 3129 cert=/opt/apache2/conf/ssl/cert.pem key=/opt/apache2/conf/ssl/privkey.pem accel defaultsite=brianpmearns.com vhost ###These were the key lines for getting the proxy to connect to the server with HTTPS... #First, define two different "peer" "caches", the first for secure connections, the second for unsecure. cache_peer localhost parent 443 0 no-query originserver login=PASS ssl name=secureLocalhost sslflags=DONT_VERIFY_PEER cache_peer localhost parent 80 0 no-query originserver login=PASS name=unsecureLocalhost #Second, define a new ACL called "https" which is used for HTTPS protocol requests. Likewise for HTTP. acl https proto HTTPS acl http proto HTTP #Now, only allow it to connect to the secureLocalhost "peer" for secure connections. cache_peer_access secureLocalhost allow https cache_peer_access secureLocalhost deny !https #And just to be safe, make sure it can't choose the unsecured "peer" for secure connections. cache_peer_access unsecureLocalhost allow http cache_peer_access unsecureLocalhost deny https -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net
