On Tue, 08 Dec 2009 15:31:07 +0100 (CET), Ludovit Koren <ludovit_koren@xxxxxxxxxx> wrote: > Amos Jeffries <squid3@xxxxxxxxxxxxx> writes: > >> On Mon, 07 Dec 2009 17:59:22 +0100, Ludovit Koren >> <Ludovit_Koren@xxxxxxxxxx> wrote: >>> Hi, >>> >>> I have Debian Linux and Squid Version 2.7.STABLE3. As I understand >>> from the documentation, there was some change in the version and I did >>> not find relevant information on the net. >> >> NP: Please use the latest Squid version available, 2.7.STABLE7 is >> available in backports if you need to. >> >>> >>> I have the following scenario: >>> >>> client - https - squid - https - server1 >>> client - https - squid - http - server2 >>> >> >> Use this for reference: >> http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting >> >>> >>> This is what I added to the squid.conf >>> >>> http_port 80 accel defaultsite=dflt1.domain.sk vhost >> >> This configures: >> >> Client - HTTP -> Squid. >> >> Which I note is missing from your specs. If your specs were right then >> drop this and only use the https_port directive below. >> > > yes, it is right. I am using it as reverse proxy for both HTTP and HTTPS > >> >>> https_port 443 cert=/etc/squid/ssl.crt key=/etc/squid/ssl.key >>> defaultsite=dflt1.domain.sk vhost >>> >>> acl webmail dstdomain webmail.domain.sk >>> >>> cache_peer dflt1.domain.sk parent 80 0 no-query originserver >> >> Missing: name=dflt1 >> >> > > when I copied it, it has lost, I have the parameter there, sorry > >>> cache_peer dflt1.domain.sk parent 443 0 no-query ssl >>> sslflags=DONT_VERIFY_PEER front-end-https >>> name=dflt1 >> >>> cache_peer webmail.domain.sk parent 80 0 no-query originserver >> name=dflt2 >>> >>> >>> cache_peer_access dflt2 allow webmail >> >> Missing: >> cache_peer_access dflt2 deny all >> >> cache_peer_access dflt1 allow !webmail >> > > I have added your suggested lines > >> Also missing: >> * list of domains to be passed to dflt1 >> * http_access lines to permit valid domain traffic to enter Squid. >> >>> >>> According to log the redirection is either all the time http or https >>> (if i add protocol=http to the configuration above): >>> >>> 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET >>> https://webmail.domain.sk/ - DIRECT/ >>> X.X.X.X text/html >>> >>> >>> >>> How can I configure squid as https reverse proxy and one page redirect >> to >>> the https backend server and the second page redirect to the http >>> backend server? >> >> What you had configured above is a reverse proxy which accepts both HTTP >> and HTTPS connections. Then passes all requests to dflt1.domain.sk:80. >> >> If dflt1.domain.sk:80 became available or overloaded the >> webmail.domain.sk >> traffic would be pushed to dflt1.domain.sk:443 and the non-webmail.* >> traffic would be dropped with an error. > > As I posted above, the traffic is pushed to correct host > (webmail.domain.sk), but to the https and I need it to push to > http. Everything else is working as I expect... > > > Regards, > > lk Sorry I overlooked that you had two dflt1.* links; name= MUST be unique for each cache_peer line. So... cache_peer dflt1.domain.sk parent 80 0 no-query originserver name=dflt1-80 cache_peer dflt1.domain.sk parent 443 0 no-query ssl sslflags=DONT_VERIFY_PEER front-end-https name=dflt1-443 acl HTTP proto HTTP cache_peer_access dflt1-80 allow HTTP !webmail cache_peer_access dflt1-80 deny all acl HTTPS proto HTTPS cache_peer_access dflt1-443 allow HTTPS !webmail cache_peer_access dflt1-443 deny all Amos
