On 16/09/10 16:11, mikek wrote:
Amos Jeffries-2 wrote:
Close, there are some problems:
https_port still needs accel and maybe vhost options to be a real
accelerator.
always_direct prevents the cache_peer config ever being used.
Is the public DNS that clients are connecting to xxxxx.appspot.com or
secure.xxxxx.com?
You may need to add the forcedomain=xxxxx.appspot.com option to
cache_peer and remove the always_direct.
Amos
Thanks very much Amos.
The public clients are connecting to secure.xxxxx.com, and then squid is
proxying the request to xxxxx.appspot.com.
My understanding that to use vhost or accel with https_port, you needed a
wildcard SSL cert, which I don't have. Is that right?
accel is just to turn on reverse-proxy mode so the partial URLs normally
only sent to web servers are accepted.
vhost is required for multiple domains, but can work just as well with a
single one being served. Just means Squid pulls the public domain name
the client is contacting from Host: header instead of making assumptions
from defaultsite=.
It helps the security checks if Squid can reject bogus requested
domains early.
I'm not sure what you mean here: always_direct prevents the cache_peer
config ever being used.
Before Squid starts figuring out where a MISS request is going to come
from it checks the always_direct list. If it matches then Squid skips
the cache_peer checks and goes straight to DNS to find out where the web
server is.
This is usually a bad idea in reverse-proxies, since the DNS will most
often be pointing at the proxy itself for the public visitors.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.8
Beta testers wanted for 3.2.0.2
