On 25/03/11 22:09, Pascal Bourdais wrote:
Bonjour,
I'm stuck with a reverse proxy config.
I have one http server with 5 sites (http) and 2 https, 1 OWA& RPC
server which also serves logos on port 80.
What I want to do :
(I'm bad at ASCII art, but i give it a try :)
WWW ---- iptables/DNAT --- SQUID --- http 1
--- http 2 ...
--- https 1 --- http (acl A_gi)
--- https 2
--- OWA
I wrote this config file, and http seem's OK, but i don't understand
the way https works.
HTTPS encrypts the entire connection client->Squid just above the TCP
level. Including optionally the client IP:port and destination domain
name in various parts of the security exchange.
I follow the doc at :
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
but it give 1 certificate for 2 sites, and thus the certificat is not
valid when i access the sites.
The point of using a wildcard is that is *is* valid for more than one
domain. It says to the client that it is valid for all *.example.com
domains hosted by that server.
If they are not sub-domains then you will need a chained certificate
(X.509 aliases), or a separate port for each HTTPS receiving domain.
In the graphic, https 1 has a page with a frame which contains a page
in an other server which is accessed with http (not s).
Um, browser warnings arise from this "secure site contains insecure
objects" or similar.
From the Squid point of view they are unrelated objects. So does not
matter.
Thank you for any help.
=== squid.conf ===
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 172.25.53.0/24
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
include /etc/squid/squid.accel.conf
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_dir ufs /cache 100 16 256
cache_mem 100 MB
maximum_object_size_in_memory 10240 KB
=== end squid.conf ===
=== squid.accel.conf ===
## Sites http
http_port 80 accel defaultsite=A vhost
cache_peer 192.168.13.10 parent 80 0 no-query no-digest originserver
name=serveur1 login=PASS
acl sites_serveur1 dstdomain A B C D E
http_access allow sites_serveur1
cache_peer_access serveur1 allow sites_serveur1
cache_peer_access serveur1 deny all
http_access allow sites_serveur1
miss_access allow sites_serveur1
Looks good.
## Sites https
https_port 443 cert=/usr/local/newrprgate/CertAuth/testcert.cert \
key=/usr/local/newrprgate/CertAuth/testkey.pem defaultsite=G vhost
acl A_gi urlpath_regex ^/cgams
acl sites_cgams dstdomain G H
cache_peer 192.168.13.10 parent 443 0 no-query no-digest originserver
name=cgams login=PASS
cache_peer_access cgams deny A_gi
Watch the wrap on that (it is two lines).
cache_peer_access cgams allow sites_cgams
cache_peer 192.168.1.21 parent 80 0 no-query no-digest originserver
forceddomain=dom name=gi
> cache_peer_access gi allow A_gi
Watch the wrap on that (it is two lines).
This says that *any* domain A B C D E G H and *F* which starts the URL
with /cgams may go to this peer.
I think you want to replace that above "allow A_gi" line with:
cache_peer_access gi allow sites_cgams A_gi
cache_peer_access gi deny all
http_access allow sites_cgams
miss_access allow sites_cgams
## Sites OWA
cache_peer 192.168.13.44 parent 80 0 no-query no-digest originserver
name=xxx80
(mind the wrap again. above is one line, below is a second.)
cache_peer 192.168.13.44 parent 443 0 no-query no-digest
originserver connection-auth=on login=PASS front-end-https=on name=xxx
acl OWA dstdomain F
cache_peer_access xxx allow OWA
cache_peer_access xxx80 allow OWA
What you have here is that *either* port 80 or port 443 may be used to
pass traffic to OWA. The port 80 is preferred (listed first), with 443
as a failover backup if that goes down or gets flooded.
What I think you want is this:
acl HTTPS proto HTTPS
cache_peer_access xxx allow OWA HTTPS
cache_peer_access xxx80 allow OWA !HTTPS
That will keep the received port 80 and port 443 traffic going to the
matching OWA ports.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.5
