Search squid archive

Re: SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 17/09/10 19:32, Nikolaos Pavlidis wrote:
Hello Amos, all,

Thank you for your response. As far as understanding what you mean I do
(thats something at least) but I fail to see how this will be syntaxed

Answers inline.


My config is as follows please advise(this is not working of course):

# NETWORK OPTIONS
#
-----------------------------------------------------------------------------
http_port 80 accel defaultsite=www.domain.com vhost
https_port 443 cert=/etc/squid/uob/sid_domain.crt
key=/etc/squid/uob/sid_domain.key cafile=/etc/squid/uob/sid_domain.ca
defaultsite=sid.domain.com vhost
>
> https_port 443 cert=/etc/squid/uob/helpdesk_domain.crt
> key=/etc/squid/uob/helpdesk_domain.key
> cafile=/etc/squid/uob/helpdesk_domain.ca defaultsite=helpdesk.domain.com
> vhost

The pubic-facing IP address is needed to open multiple same-numbered ports.

(wrapped for easy reading)

https_port 10.0.0.1:443 accel vhost defaultsite=sid.domain.com
   cert=/etc/squid/uob/sid_domain.crt
   key=/etc/squid/uob/sid_domain.key
   cafile=/etc/squid/uob/sid_domain.ca

https_port 10.0.0.2:443 accel vhost defaultsite=helpdesk.domain.com
   cert=/etc/squid/uob/helpdesk_domain.crt
   key=/etc/squid/uob/helpdesk_domain.key
   cafile=/etc/squid/uob/helpdesk_domain.ca


visible_hostname *MailScanner has detected a possible fraud attempt from
"www.beds.ac.uk" claiming to be* www. <http://www.beds.ac.uk>domain.
<http://www.beds.ac.uk>com
unique_hostname cache1.domain.com
offline_mode off
icp_port 3130
request_body_max_size 32 MB

# OPTIONS WHICH AFFECT THE CACHE SIZE
#
-----------------------------------------------------------------------------
cache_mem 4096 MB
maximum_object_size 8 MB
maximum_object_size_in_memory 256 KB

# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#
-----------------------------------------------------------------------------
cache_dir aufs /var/cache/squid 61440 16 256
emulate_httpd_log on
logfile_rotate 100
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined

Just for my interest how does forcing apache "common" format with emulate_httpd_log mix with explicitly forcing a locally defined "combined" format?
 Which one do you expect to be used in the log?

cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

Only if you need it. Otherwise:
 cache_store_log none

debug_options ALL,1,33,3,20,3

(space needed between each section,level option pair.)
debug_options ALL,1 33,3 20,3


# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
#
-----------------------------------------------------------------------------
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# OPTIONS FOR TUNING THE CACHE
#
-----------------------------------------------------------------------------
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.css 1440 50% 2880 override-expire
refresh_pattern -i \.swf 1440 50% 2880 ignore-reload override-expire

Missing:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 1440 50% 4320 override-expire

# ACCESS CONTROLS
#
-----------------------------------------------------------------------------

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# reverce-proxy configuration
#
-----------------------------------------------------------------------------

cache_peer 194.80.213.28 sibling 80 3130 proxy-only no-digest
no-netdb-exchange

(this is where the deny from itself comes in handy to block looping)

cache_peer_access 194.80.213.28 deny from_cache2
cache_peer_access 194.80.213.28 allow all


cache_peer 10.1.62.230 parent 80 0 no-query originserver no-digest
name=lhdl_cst_srv login=PASS
acl sites_lhdl_cst dstdomain lhdl.cst.domain.com
http_access allow sites_lhdl_cst
cache_peer_access lhdl_cst_srv allow sites_lhdl_cst
cache_peer_access lhdl_cst_srv deny from_cache2

missing "deny all" there.



cache_peer 212.219.119.48 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER no-digest name=beweb_srv_ssl login=PASS
acl sites_beweb_ssl dstdomain sid.domain.com
http_access allow sites_beweb_ssl
cache_peer_access beweb_srv_ssl allow sites_beweb_ssl
cache_peer_access beweb_srv_ssl deny from_cache2
cache_peer_access beweb_srv_ssl deny all


Either:
  cache_peer_access beweb_srv_ssl allow sites_beweb_ssl
  cache_peer_access beweb_srv_ssl deny all

OR
  cache_peer_access beweb_srv_ssl deny from_cache2
  cache_peer_access beweb_srv_ssl allow sites_beweb_ssl
  cache_peer_access beweb_srv_ssl deny all

...makes sense.

The first set is a shorter/faster version of what your current settings do.

The second set is what they look like they were intended to be (blocking from sibling to that parent via here).

Same concept for the peer below.


cache_peer 10.1.108.15 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER no-digest name=helpdesk_srv_ssl login=PASS
acl sites_helpdesk_ssl dstdomain helpdesk.domain.com
http_access allow sites_helpdesk_ssl
cache_peer_access helpdesk_srv_ssl allow sites_helpdesk_ssl
cache_peer_access helpdesk_srv_ssl deny from_cache2
cache_peer_access helpdesk_srv_ssl deny all

# forward-proxy security restrictions
#
-----------------------------------------------------------------------------
<snip>

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux