Search squid archive

Reverse Proxy for multiple SSL sites on same server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am struggling with a setup where I am adding a parent web server behind my reverse proxy that has multiple ssl sites running under the same name but on different ports.  The site on the default port 443 works, but I can't get it to forward to the parent on the second site running on port 444.  The server is already running several ssl sites on 443 using a UCC SSL cert with subject alternative names

Here are the relevant parts of the setup:

https_port 10.50.20.10:443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=www.mydomain.com vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
https_port 10.50.20.10:444 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=secure.mydomain.com:444 vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

acl ssl_secure proto HTTPS
acl securesite444 url_regex -i ^https://secure.mydomain.com:444/
acl securesite url_regex -i ^https://secure.mydomain.com/
acl parentserver dst 10.20.10.62/32

http_access deny securesite444 !ssl_secure
http_access allow securesite444 ssl_secure
http_access deny securesite !ssl_secure
http_access allow securesite ssl_secure
http_access allow parentserver ssl_secure
http_access deny ssl_secure

cache_peer 10.20.10.62 parent 444 0 ssl no-query originserver name=parent444 sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER
cache_peer_domain parent444 secure.mydomain.com
cache_peer_access parent444 allow securesite444 ssl_secure

cache_peer 10.20.10.62 parent 443 0 ssl no-query originserver name=parent sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER
cache_peer_domain parent secure.mydomain.com
cache_peer_access parent allow securesite ssl_secure


The logs show both the SSL listening ports were started, and both parents configured, however when accessing https://secure.mydomain.com:444/ it reports that it was unable to select source.

2011/01/14 13:49:51| Accepting HTTPS connections at 10.50.20.10:443, FD 71.
2011/01/14 13:49:51| Accepting HTTPS connections at 10.50.20.10:444, FD 72.
2011/01/14 13:49:51| Configuring Parent 10.20.10.62/443/0
2011/01/14 13:49:51| Configuring Parent 10.20.10.62/444/0
2011/01/14 13:49:51| Ready to serve requests.
-----BEGIN SSL SESSION PARAMETERS-----
MIGMAgEBAgIDAQQCAC8EIBe26zUEsTBKHRt+Bvw3c9j5XNAArlUDi0Zq6qSncolM
BDCuSmhFVdKHBuflZ2nY/N1UPGY8syDnGlUyDEIQdwFdMveOyawuMJmqeVePI2NI
eKOhBgIETTCo5aIEAgIBLKQCBACmGQQXb3JzY2hlbG5oci5vcnNjaGVsbi5jb20=
-----END SSL SESSION PARAMETERS-----
2011/01/14 13:49:57| Failed to select source for 'https://secure.mydomain.com:444/'
2011/01/14 13:49:57|   always_direct = 0
2011/01/14 13:49:57|    never_direct = 0
2011/01/14 13:49:57|        timedout = 0

Does anyone have any idea what I am missing in the parent configuration or access rule list that is not allowing the reverse proxy to find and use the parent server?

Thanks,
     Dean Weimer



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux