On 16/11/2011 10:13 p.m., Javier Sansaloni Talens wrote:
Good morning,
My name is Javi and I live in Spain.
First of all, thank you for reading my questions. I have tried to
found the answer here and in google but I don't have found anything.
I have a question about reverse proxy with one public ip and more
back-end servers with SSL, I have attached an illustrative picture
with my web server structure.
I have 2 Apache servers, one of these with virtual hosts. I don't
have a problem with http conections. Now in https connections I can
work with only ssl certificate installed in squid and the other 2
servers but this is the same certificate . But in https connections I
would like to have one certificate in one server. (In the picture
Certificate1 and Certificate2) Is it possible?
You have configured "sslflags=DONT_VERIFY_PEER". Squid is ignoring the
certificates beyond the minimum required to encrypt packets.
I attach my configuration file too.
My configuration file (I have the certificate files currently
installed in /etc/squid/certificados)
*******************************************************************************************************************************************************************************************
http_port 80 accel defaultsite=www.burriana.es vhost
https_port 443 accel cert=/etc/squid/certificados/server.crt
key=/etc/squid/certificados/server.key defaultsite=www.burriana.es
vhost protocol=https
forwarded_for on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
cache_peer 192.168.20.13 parent 80 0 no-query no-digest originserver
name=etcote login=PASS
acl sites_etcote dstdomain www.adi.burriana.es adi.burriana.es
www.sme.burriana.es sme.burriana.es
acl our_sites dstdomain www.adi.burriana.es adi.burriana.es
www.sme.burriana.es sme.burriana.es
cache_peer_access etcote allow sites_etcote
cache_peer 192.168.20.13 parent 443 0 no-query originserver ssl
sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=etcote_ssl
acl site_etcote_ssl dstdomain www.adi.burriana.es adi.burriana.es
www.sme.burriana.es sme.burriana.es
"sites_etcote" and "our_sites" and "site_etcote_ssl" are identical.
Remove "our_sites" and "site_etcote_ssl".
cache_peer_access etcote_ssl allow site_etcote_ssl
acl https proto https
I suggest using:
acl https proto https
cache_peer_access etcote allow sites_etcote !https
cache_peer_access etcote_ssl allow site_etcote https
cache_peer 192.168.20.6 parent 80 0 no-query no-digest originserver
name=burriana login=PASS
acl sites_burriana dstdomain www.burriana.es burriana.es
acl our_sites2 dstdomain www.burriana.es burriana.es
cache_peer_access burriana allow sites_burriana
"sites_burriana" and "our_sites2" are identical. Remove our_sites2.
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
Replace with:
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow our_sites2
http_access allow our_sites
#http_access allow our_sites_ssl
http_access allow https
Replace the above 4 lines with:
http_access allow site_etcote
http_access allow sites_burriana
http_access allow manager all
http_access allow manager
"all" is useless on the manager line. Remove the whole line
"http_access allow manager all ".
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
A set of deny lines ending in "deny all" is useless work for Squid.
Remove "deny !Safe_ports" and "deny CONNECT !SSL_ports".
Amos
