Search squid archive

Re: SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21/09/10 00:02, Nikolaos Pavlidis wrote:
Hello Amos, all,

Many thanks for taking a look at my config!

Comments inline (easier)

On Fri, 2010-09-17 at 23:17 +1200, Amos Jeffries wrote:
On 17/09/10 19:32, Nikolaos Pavlidis wrote:
Hello Amos, all,

Thank you for your response. As far as understanding what you mean I do
(thats something at least) but I fail to see how this will be syntaxed

Answers inline.


My config is as follows please advise(this is not working of course):

# NETWORK OPTIONS
#
-----------------------------------------------------------------------------
http_port 80 accel defaultsite=www.domain.com vhost
https_port 443 cert=/etc/squid/uob/sid_domain.crt
key=/etc/squid/uob/sid_domain.key cafile=/etc/squid/uob/sid_domain.ca
defaultsite=sid.domain.com vhost
  >
  >  https_port 443 cert=/etc/squid/uob/helpdesk_domain.crt
  >  key=/etc/squid/uob/helpdesk_domain.key
  >  cafile=/etc/squid/uob/helpdesk_domain.ca defaultsite=helpdesk.domain.com
  >  vhost

The pubic-facing IP address is needed to open multiple same-numbered ports.

(wrapped for easy reading)

https_port 10.0.0.1:443 accel vhost defaultsite=sid.domain.com
     cert=/etc/squid/uob/sid_domain.crt
     key=/etc/squid/uob/sid_domain.key
     cafile=/etc/squid/uob/sid_domain.ca

https_port 10.0.0.2:443 accel vhost defaultsite=helpdesk.domain.com
     cert=/etc/squid/uob/helpdesk_domain.crt
     key=/etc/squid/uob/helpdesk_domain.key
     cafile=/etc/squid/uob/helpdesk_domain.ca


Unfortunately that did not work! If I define an IP address on the port
it just stops working for some reason! squid reloads with no errors but
access to the host times out.


SSL is on the edge of my knowledge field. This is a bit of a black box to me now.

Hopefully someone else here knows more details of what to test.


To me it sounds a little like the SSL layer is failing to be setup or something. For example if the IP does not match the certificate info domain rDNS, or Host: domain matching the cert, etc. debug_options 83,6 may have something relevant if it's something detected by Squid.


<snip>

# OPTIONS FOR TUNING THE CACHE
#
-----------------------------------------------------------------------------
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.css 1440 50% 2880 override-expire
refresh_pattern -i \.swf 1440 50% 2880 ignore-reload override-expire

Missing:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

That is actually not suggested for our CMS at the moment :/


huh? it specifies that dynamic pages are not to be cached unless they have Cache-Control/Expires. Not having this causes dynamic pages to be stored for maybe long periods after they should have been updated.

If there are parts of the site that it matches and are supposed to be cached for a while, add rules above it for those specific site parts.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux