On Wed, 09 Dec 2009 13:42:47 +0100 (CET), Ludovit Koren <ludovit_koren@xxxxxxxxxx> wrote: > Amos Jeffries <squid3@xxxxxxxxxxxxx> writes: > >> On Tue, 08 Dec 2009 15:31:07 +0100 (CET), Ludovit Koren >> <ludovit_koren@xxxxxxxxxx> wrote: >>> Amos Jeffries <squid3@xxxxxxxxxxxxx> writes: >>> >>>> On Mon, 07 Dec 2009 17:59:22 +0100, Ludovit Koren >>>> <Ludovit_Koren@xxxxxxxxxx> wrote: >>>>> Hi, >>>>> >>>>> I have Debian Linux and Squid Version 2.7.STABLE3. As I understand >>>>> from the documentation, there was some change in the version and I did >>>>> not find relevant information on the net. >>>> >>>> NP: Please use the latest Squid version available, 2.7.STABLE7 is >>>> available in backports if you need to. >>>> >>>>> >>>>> I have the following scenario: >>>>> >>>>> client - https - squid - https - server1 >>>>> client - https - squid - http - server2 >>>>> >>>> >>>> Use this for reference: >>>> http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting >>>> >>>>> >>>>> This is what I added to the squid.conf >>>>> >>>>> http_port 80 accel defaultsite=dflt1.domain.sk vhost >>>> >>>> This configures: >>>> >>>> Client - HTTP -> Squid. >>>> >>>> Which I note is missing from your specs. If your specs were right then >>>> drop this and only use the https_port directive below. >>>> >>> >>> yes, it is right. I am using it as reverse proxy for both HTTP and HTTPS >>> >>>> >>>>> https_port 443 cert=/etc/squid/ssl.crt key=/etc/squid/ssl.key >>>>> defaultsite=dflt1.domain.sk vhost >>>>> >>>>> acl webmail dstdomain webmail.domain.sk >>>>> >>>>> cache_peer dflt1.domain.sk parent 80 0 no-query originserver >>>> >>>> Missing: name=dflt1 >>>> >>>> >>> >>> when I copied it, it has lost, I have the parameter there, sorry >>> >>>>> cache_peer dflt1.domain.sk parent 443 0 no-query ssl >>>>> sslflags=DONT_VERIFY_PEER front-end-https >>>>> name=dflt1 >>>> >>>>> cache_peer webmail.domain.sk parent 80 0 no-query originserver >>>> name=dflt2 >>>>> >>>>> >>>>> cache_peer_access dflt2 allow webmail >>>> >>>> Missing: >>>> cache_peer_access dflt2 deny all >>>> >>>> cache_peer_access dflt1 allow !webmail >>>> >>> >>> I have added your suggested lines >>> >>>> Also missing: >>>> * list of domains to be passed to dflt1 >>>> * http_access lines to permit valid domain traffic to enter Squid. >>>> >>>>> >>>>> According to log the redirection is either all the time http or https >>>>> (if i add protocol=http to the configuration above): >>>>> >>>>> 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET >>>>> https://webmail.domain.sk/ - DIRECT/ >>>>> X.X.X.X text/html >>>>> >>>>> >>>>> >>>>> How can I configure squid as https reverse proxy and one page redirect >>>> to >>>>> the https backend server and the second page redirect to the http >>>>> backend server? >>>> >>>> What you had configured above is a reverse proxy which accepts both >> HTTP >>>> and HTTPS connections. Then passes all requests to dflt1.domain.sk:80. >>>> >>>> If dflt1.domain.sk:80 became available or overloaded the >>>> webmail.domain.sk >>>> traffic would be pushed to dflt1.domain.sk:443 and the non-webmail.* >>>> traffic would be dropped with an error. >>> >>> As I posted above, the traffic is pushed to correct host >>> (webmail.domain.sk), but to the https and I need it to push to >>> http. Everything else is working as I expect... >>> >>> >>> Regards, >>> >>> lk >> >> Sorry I overlooked that you had two dflt1.* links; name= MUST be unique >> for each cache_peer line. >> >> So... >> >> cache_peer dflt1.domain.sk parent 80 0 no-query originserver >> name=dflt1-80 >> cache_peer dflt1.domain.sk parent 443 0 no-query ssl >> sslflags=DONT_VERIFY_PEER front-end-https name=dflt1-443 >> >> acl HTTP proto HTTP >> cache_peer_access dflt1-80 allow HTTP !webmail >> cache_peer_access dflt1-80 deny all >> >> acl HTTPS proto HTTPS >> cache_peer_access dflt1-443 allow HTTPS !webmail >> cache_peer_access dflt1-443 deny all >> > > I must miss something. I have edited and added everything you wrote > and still I get above line: > > > 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET > https://webmail.domain.sk/ - DIRECT/X.X.X.X text/html > > and not http://webmail.domain.sk/ > I see we have some flags missing. Try: "accel" on the https_port. "originserver" on the cache_peer for HTTPS. Amos
