On 25/05/11 11:07, Anna K. Hegedus wrote:
Hey everyone,
I figured out what was going on and have everything working smoothly.
for future references, here's what I did:
1.) configure squid. Here's the relevant chunk of the config:
---
https_port 443 cert=/usr/misc/certs/squid.cert
key=/usr/misc/certs/squid.pem defaultsite=testbench112.cnbc.cmu.edu
http_port 80 defaultsite=testbench112.cnbc.cmu.edu
If you want it to be secure I would advise removing defaultsite (used to
cope with legacy broken software, rejecting such brokenness is one
security layer).
Replacing it with "accel vhost" instead.
cache_peer sourceserver112.cnbc.cmu.edu parent 80 0 no-query login=PASS
originserver name=server1
acl our_sites dstdomain localhost 127.0.0.1 sourceserver.cnbc.cmu.edu
testbench112.cnbc.cmu.edu
NP: "defaultsite=" option on the http_port lines forces the domain to
always be "testbench112.cnbc.cmu.edu". Which prevents alternative
domains matching and disables these domain-based attack protections.
http_access allow our_sites
cache_peer_access server1 allow our_sites
url_rewrite_program /usr/local/bin/rewritehttps
url_rewrite_children 10
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
---
2.) Rewrite the URLs presented to Squid with a rewrite script as seen
above in /usr/local/bin/rewritehttps:
---
#!/usr/bin/perl
#
# URL rewriter for squid to convert HTTP requests to HTTPS.
$| = 1;
while (<>) {
s/^http:/301:https:/;
print;
}
---
Unless this looks horribly wrong to someone's keen eye, I'm going to
roll with it. Everything seems to be working as planned, and nothing has
caught fire yet :) I'd assume that this would also be useful for going
the opposite way, just change the script's https and http around and
change the cache peer to 443 instead of 80.
That is pretty much how it has to be done for 3.1 and older. 3.2 offer
deny_info redirects to replace the re-writer.
FYI:
The Squid URL re-write interface will do a lot of extra work
duplicating the request whenever it is told that the URL has changed.
*** Even if the URL has not actually been altered! ***
Send an empty ("") line back to Squid unless you are actually wanting
to change the request.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
