Amos Jeffries <squid3@xxxxxxxxxxxxx> writes: > On Tue, 08 Dec 2009 15:31:07 +0100 (CET), Ludovit Koren > <ludovit_koren@xxxxxxxxxx> wrote: >> Amos Jeffries <squid3@xxxxxxxxxxxxx> writes: >> >>> On Mon, 07 Dec 2009 17:59:22 +0100, Ludovit Koren >>> <Ludovit_Koren@xxxxxxxxxx> wrote: >>>> Hi, >>>> >>>> I have Debian Linux and Squid Version 2.7.STABLE3. As I understand >>>> from the documentation, there was some change in the version and I did >>>> not find relevant information on the net. >>> >>> NP: Please use the latest Squid version available, 2.7.STABLE7 is >>> available in backports if you need to. >>> >>>> >>>> I have the following scenario: >>>> >>>> client - https - squid - https - server1 >>>> client - https - squid - http - server2 >>>> >>> >>> Use this for reference: >>> http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting >>> >>>> >>>> This is what I added to the squid.conf >>>> >>>> http_port 80 accel defaultsite=dflt1.domain.sk vhost >>> >>> This configures: >>> >>> Client - HTTP -> Squid. >>> >>> Which I note is missing from your specs. If your specs were right then >>> drop this and only use the https_port directive below. >>> >> >> yes, it is right. I am using it as reverse proxy for both HTTP and HTTPS >> >>> >>>> https_port 443 cert=/etc/squid/ssl.crt key=/etc/squid/ssl.key >>>> defaultsite=dflt1.domain.sk vhost >>>> >>>> acl webmail dstdomain webmail.domain.sk >>>> >>>> cache_peer dflt1.domain.sk parent 80 0 no-query originserver >>> >>> Missing: name=dflt1 >>> >>> >> >> when I copied it, it has lost, I have the parameter there, sorry >> >>>> cache_peer dflt1.domain.sk parent 443 0 no-query ssl >>>> sslflags=DONT_VERIFY_PEER front-end-https >>>> name=dflt1 >>> >>>> cache_peer webmail.domain.sk parent 80 0 no-query originserver >>> name=dflt2 >>>> >>>> >>>> cache_peer_access dflt2 allow webmail >>> >>> Missing: >>> cache_peer_access dflt2 deny all >>> >>> cache_peer_access dflt1 allow !webmail >>> >> >> I have added your suggested lines >> >>> Also missing: >>> * list of domains to be passed to dflt1 >>> * http_access lines to permit valid domain traffic to enter Squid. >>> >>>> >>>> According to log the redirection is either all the time http or https >>>> (if i add protocol=http to the configuration above): >>>> >>>> 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET >>>> https://webmail.domain.sk/ - DIRECT/ >>>> X.X.X.X text/html >>>> >>>> >>>> >>>> How can I configure squid as https reverse proxy and one page redirect >>> to >>>> the https backend server and the second page redirect to the http >>>> backend server? >>> >>> What you had configured above is a reverse proxy which accepts both > HTTP >>> and HTTPS connections. Then passes all requests to dflt1.domain.sk:80. >>> >>> If dflt1.domain.sk:80 became available or overloaded the >>> webmail.domain.sk >>> traffic would be pushed to dflt1.domain.sk:443 and the non-webmail.* >>> traffic would be dropped with an error. >> >> As I posted above, the traffic is pushed to correct host >> (webmail.domain.sk), but to the https and I need it to push to >> http. Everything else is working as I expect... >> >> >> Regards, >> >> lk > > Sorry I overlooked that you had two dflt1.* links; name= MUST be unique > for each cache_peer line. > > So... > > cache_peer dflt1.domain.sk parent 80 0 no-query originserver > name=dflt1-80 > cache_peer dflt1.domain.sk parent 443 0 no-query ssl > sslflags=DONT_VERIFY_PEER front-end-https name=dflt1-443 > > acl HTTP proto HTTP > cache_peer_access dflt1-80 allow HTTP !webmail > cache_peer_access dflt1-80 deny all > > acl HTTPS proto HTTPS > cache_peer_access dflt1-443 allow HTTPS !webmail > cache_peer_access dflt1-443 deny all > I must miss something. I have edited and added everything you wrote and still I get above line: 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET https://webmail.domain.sk/ - DIRECT/X.X.X.X text/html and not http://webmail.domain.sk/ lk
