Le Fri, 25 Mar 2011 22:44:54 +1300, Amos Jeffries <squid3@xxxxxxxxxxxxx> a écrit : Hi, Thank you for your answer, and sorry for the very late answer, i've been out for a very long time. > On 25/03/11 22:09, Pascal Bourdais wrote: > > > I follow the doc at : > > http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate > > but it give 1 certificate for 2 sites, and thus the certificat is not > > valid when i access the sites. > > The point of using a wildcard is that is *is* valid for more than one > domain. It says to the client that it is valid for all *.example.com > domains hosted by that server. > > If they are not sub-domains then you will need a chained certificate > (X.509 aliases), or a separate port for each HTTPS receiving domain. They are all differents domain, i look for this later. I have the site I want working, the https for the others are still with apache. All the wrap are done by my mua. And I correct my config as you suggest. Is there a way to let them as this, and just let squid act as a switch between several https sites ? Pascal <...> > > > > === squid.accel.conf === > > ## Sites http > > http_port 80 accel defaultsite=A vhost > > > > cache_peer 192.168.13.10 parent 80 0 no-query no-digest originserver > > name=serveur1 login=PASS > > > > acl sites_serveur1 dstdomain A B C D E > > http_access allow sites_serveur1 > > cache_peer_access serveur1 allow sites_serveur1 > > cache_peer_access serveur1 deny all > > > > http_access allow sites_serveur1 > > miss_access allow sites_serveur1 > > > > Looks good. > > > > > ## Sites https > > https_port 443 cert=/usr/local/newrprgate/CertAuth/testcert.cert \ > > key=/usr/local/newrprgate/CertAuth/testkey.pem defaultsite=G vhost > > > > acl A_gi urlpath_regex ^/cgams > > acl sites_cgams dstdomain G H > > > > cache_peer 192.168.13.10 parent 443 0 no-query no-digest originserver > > name=cgams login=PASS > > > cache_peer_access cgams deny A_gi > > Watch the wrap on that (it is two lines). > > > cache_peer_access cgams allow sites_cgams > > > > cache_peer 192.168.1.21 parent 80 0 no-query no-digest originserver > > forceddomain=dom name=gi > > > cache_peer_access gi allow A_gi > > Watch the wrap on that (it is two lines). > > This says that *any* domain A B C D E G H and *F* which starts the URL > with /cgams may go to this peer. > > I think you want to replace that above "allow A_gi" line with: > > cache_peer_access gi allow sites_cgams A_gi > > > cache_peer_access gi deny all > > > > http_access allow sites_cgams > > miss_access allow sites_cgams > > > > ## Sites OWA > > cache_peer 192.168.13.44 parent 80 0 no-query no-digest originserver > > name=xxx80 > > (mind the wrap again. above is one line, below is a second.) > > > cache_peer 192.168.13.44 parent 443 0 no-query no-digest > > originserver connection-auth=on login=PASS front-end-https=on name=xxx > > > > acl OWA dstdomain F > > cache_peer_access xxx allow OWA > > cache_peer_access xxx80 allow OWA > > What you have here is that *either* port 80 or port 443 may be used to > pass traffic to OWA. The port 80 is preferred (listed first), with 443 > as a failover backup if that goes down or gets flooded. > > What I think you want is this: > > acl HTTPS proto HTTPS > cache_peer_access xxx allow OWA HTTPS > cache_peer_access xxx80 allow OWA !HTTPS > > > That will keep the received port 80 and port 443 traffic going to the > matching OWA ports. > > Amos -- P.Bourdais Infagri Rue Albert Einstein Parc Technopole de changé Bp 26116 53061 Laval Cedex 9 Tél: 02.43.49.84.40
