Re: Question about reverse proxy with one public ip and more backend servers with SSL

[Javier Sansaloni Talens <javier.sansaloni@xxxxxxxxxxx>]

Thank you for the advices and suggestions,

I have reviewed my squid.conf, and I attach in the next lines.

But I have the same question.

Is it possible to have in www.adi.burriana.es Certificate1 and 
www.sme.burriana.es Certificate2 running with squid?

 If I enter directly with my apache server (with vhosts) in my browser, 
If I write www.adi.burriana.es I have the Certificate1 and if I write 
www.sme.burriana.es I have the Certificate2.

But If I use the currently configuration in squid, If I write 
www.adi.burriana.es I have the certificate1 (server.crt) and If I write 
www.sme.burriana.es I have the Certificate1, too, and I wouldn't want to 
have the Certificate1, I'd want to have the Certificate2.




*****************************************************************************************************************************************************************************
http_port 80 accel defaultsite=www.burriana.es vhost
https_port 443 accel cert=/etc/squid/certificados/server.crt 
key=/etc/squid/certificados/server.key defaultsite=www.burriana.es vhost 
protocol=https
forwarded_for on

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

cache_peer 192.168.20.13 parent 80 0 no-query no-digest originserver 
name=etcote login=PASS
acl sites_etcote dstdomain www.adi.burriana.es adi.burriana.es 
www.sme.burriana.es sme.burriana.es
cache_peer_access etcote allow sites_etcote

cache_peer 192.168.20.13 parent 443 0 no-query originserver ssl 
sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=etcote_ssl
cache_peer_access etcote_ssl allow sites_etcote
acl https proto https


cache_peer 192.168.20.6 parent 80 0 no-query no-digest originserver 
name=burriana login=PASS
acl sites_burriana dstdomain www.burriana.es burriana.es
cache_peer_access burriana allow sites_burriana

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow sites_etcote
http_access allow sites_burriana

http_access allow manager
http_access deny all

access_log /var/log/squid/access.log
cache_mgr someone@xxxxxxxxxxxxx
************************************************************************************************************************************************************

Thank you for the responses,
Regards,









El 16/11/2011 10:57, Amos Jeffries escribió:
> On 16/11/2011 10:13 p.m., Javier Sansaloni Talens wrote:
> > Good morning,
> > My name is Javi and I live in Spain.
> > First of all, thank you for reading my questions.  I have tried to 
> > found the answer here and in google but I don't have found anything.
> >
> > I have a question about reverse proxy with one public ip and more 
> > back-end servers with SSL, I have attached an illustrative picture 
> > with my web server structure.
> >
> > I have 2 Apache servers, one of these with virtual hosts.  I don't 
> > have a problem with http conections.  Now in https connections I can 
> > work with only ssl certificate installed in squid and the other 2 
> > servers but this is the same certificate . But in https connections I 
> > would like to have one certificate in one server. (In the picture 
> > Certificate1 and Certificate2)  Is it possible?
>
> You have configured "sslflags=DONT_VERIFY_PEER".  Squid is ignoring 
> the certificates beyond the minimum required to encrypt packets.
>
> > I attach my configuration file too.
> >
> > My configuration file (I have the certificate files currently 
> > installed in /etc/squid/certificados)
> >
> > ******************************************************************************************************************************************************************************************* 
> >
> > http_port 80 accel defaultsite=www.burriana.es vhost
> > https_port 443 accel cert=/etc/squid/certificados/server.crt 
> > key=/etc/squid/certificados/server.key defaultsite=www.burriana.es 
> > vhost protocol=https
> > forwarded_for on
> >
> > refresh_pattern ^ftp:           1440    20%     10080
> > refresh_pattern ^gopher:        1440    0%      1440
> > refresh_pattern .               0       20%     4320
> >
> > cache_peer 192.168.20.13 parent 80 0 no-query no-digest originserver 
> > name=etcote login=PASS
> > acl sites_etcote dstdomain www.adi.burriana.es adi.burriana.es 
> > www.sme.burriana.es sme.burriana.es
> > acl our_sites dstdomain www.adi.burriana.es adi.burriana.es 
> > www.sme.burriana.es sme.burriana.es
> > cache_peer_access etcote allow sites_etcote
> >
> > cache_peer 192.168.20.13 parent 443 0 no-query originserver ssl 
> > sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on 
> > name=etcote_ssl
> > acl site_etcote_ssl dstdomain www.adi.burriana.es adi.burriana.es 
> > www.sme.burriana.es sme.burriana.es
>
> "sites_etcote" and "our_sites" and "site_etcote_ssl" are identical. 
> Remove "our_sites" and "site_etcote_ssl".
>
> > cache_peer_access etcote_ssl allow site_etcote_ssl
> > acl https proto https
>
> I suggest using:
>   acl https proto https
>   cache_peer_access etcote allow sites_etcote !https
>   cache_peer_access etcote_ssl allow site_etcote https
>
>
> > cache_peer 192.168.20.6 parent 80 0 no-query no-digest originserver 
> > name=burriana login=PASS
> > acl sites_burriana dstdomain www.burriana.es burriana.es
> > acl our_sites2 dstdomain www.burriana.es burriana.es
> > cache_peer_access burriana allow sites_burriana
>
> "sites_burriana" and "our_sites2" are identical. Remove our_sites2.
>
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
>
> Replace with:
>   acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>
> > acl SSL_ports port 443
> > acl Safe_ports port 80          # http
> > acl Safe_ports port 21          # ftp
> > acl Safe_ports port 443         # https
> > acl Safe_ports port 70          # gopher
> > acl Safe_ports port 210         # wais
> > acl Safe_ports port 1025-65535  # unregistered ports
> > acl Safe_ports port 280         # http-mgmt
> > acl Safe_ports port 488         # gss-http
> > acl Safe_ports port 591         # filemaker
> > acl Safe_ports port 777         # multiling http
> > acl CONNECT method CONNECT
> >
> > http_access allow our_sites2
> > http_access allow our_sites
> > #http_access allow our_sites_ssl
> > http_access allow https
>
> Replace the above 4 lines with:
>   http_access allow site_etcote
>   http_access allow sites_burriana
>
>
> > http_access allow manager all
> > http_access allow manager
>
>   "all" is useless on the manager line.  Remove the whole line 
> "http_access allow manager all ".
>
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access deny all
>
> A set of deny lines ending in "deny all" is useless work for Squid. 
> Remove "deny !Safe_ports" and "deny CONNECT !SSL_ports".
>
>
> Amos


--
*Javier Sansaloni Talens*