Search squid archive

Re: reverse proxy config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18/02/2012 3:09 a.m., Erich Titl wrote:
Hi Folks

I am trying to det up a reverse proxy for a numbner of systems, but
appear to fail to define the cache peer correctly.

The reverse proxy settings

####################################################################################
# squid reverse proxy settings for ssl acceleration
# content shamelessly adapted from
#
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
# Copyleft 2012 erich.titl@xxxxxxxx
####################################################################################

https_port 443 cert=/etc/squid3/gever.crt key=/etc/squid3/gever.key
accel protocol=http

Why set protocol http://  ??

You are missing vhost (locate and use HTTP/1.1 Host: header. 3.1 and older Squid have it absent for HTTP/1.0 compliance) and/or defaultsite (domain to use as URL domain if none can be located).


# peer pfaeffikon
cache_peer pfaeffikon.gever.asp.ruf.ch parent 8083 0 no-query
originserver name=pfaeffikon-ssl
cache_peer_domain pfaeffikon-ssl m278.asp.ruf.ch

acl sites_server_104 dstdomain m278.asp.ruf.ch
cache_peer_access pfaeffikon-ssl allow sites_server_104

Note: cache_peer_access and cache_peer_domain are alternative metods of deciding whether to service the request there. You can drop one of them.

http_access allow sites_server_104
####################################################################################

Here is an excerpt of the cache.log file

2012/02/17 14:47:07 kid1| Accepting HTTP Socket connections at
local=[::]:8080 remote=[::] FD 15 flags=9
2012/02/17 14:47:07 kid1| Accepting reverse-proxy HTTPS Socket
connections at local=[::]:443 remote=[::] FD 16 flags=9
2012/02/17 14:47:07 kid1| Configuring Parent
pfaeffikon.gever.asp.ruf.ch/8083/0
2012/02/17 14:47:07 kid1| Configuring Parent

To me it looks like the cache peer is not accessed correcly.

Maybe. That config says the peer will only service http://m278.asp.ruf.ch:443/* URLs. And does so without encryption on the squid<->peer link.


The goal is to terminate https requests on the proxy and forwarding the
requests for pfaeffikon.gever.asp.ruf.ch to a peer called
m278.asp.ruf.ch on port 8083

I see the requests arriving at the squid host, but it appears that it
does not use the host specified in the peer parameters but uses the name
of the original request host.

Yes. Exactly so. The client is asking for https://pfaeffikon.gever.asp.ruf.ch/. Squid will attempt to service that request.

You have told Squid to only accept requests for the domain m278.asp.ruf.ch.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux