On 18/02/2012 3:09 a.m., Erich Titl wrote:
Hi Folks
I am trying to det up a reverse proxy for a numbner of systems, but
appear to fail to define the cache peer correctly.
The reverse proxy settings
####################################################################################
# squid reverse proxy settings for ssl acceleration
# content shamelessly adapted from
#
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
# Copyleft 2012 erich.titl@xxxxxxxx
####################################################################################
https_port 443 cert=/etc/squid3/gever.crt key=/etc/squid3/gever.key
accel protocol=http
Why set protocol http:// ??
You are missing vhost (locate and use HTTP/1.1 Host: header. 3.1 and
older Squid have it absent for HTTP/1.0 compliance) and/or defaultsite
(domain to use as URL domain if none can be located).
# peer pfaeffikon
cache_peer pfaeffikon.gever.asp.ruf.ch parent 8083 0 no-query
originserver name=pfaeffikon-ssl
cache_peer_domain pfaeffikon-ssl m278.asp.ruf.ch
acl sites_server_104 dstdomain m278.asp.ruf.ch
cache_peer_access pfaeffikon-ssl allow sites_server_104
Note: cache_peer_access and cache_peer_domain are alternative metods of
deciding whether to service the request there. You can drop one of them.
http_access allow sites_server_104
####################################################################################
Here is an excerpt of the cache.log file
2012/02/17 14:47:07 kid1| Accepting HTTP Socket connections at
local=[::]:8080 remote=[::] FD 15 flags=9
2012/02/17 14:47:07 kid1| Accepting reverse-proxy HTTPS Socket
connections at local=[::]:443 remote=[::] FD 16 flags=9
2012/02/17 14:47:07 kid1| Configuring Parent
pfaeffikon.gever.asp.ruf.ch/8083/0
2012/02/17 14:47:07 kid1| Configuring Parent
To me it looks like the cache peer is not accessed correcly.
Maybe. That config says the peer will only service
http://m278.asp.ruf.ch:443/* URLs. And does so without encryption on the
squid<->peer link.
The goal is to terminate https requests on the proxy and forwarding the
requests for pfaeffikon.gever.asp.ruf.ch to a peer called
m278.asp.ruf.ch on port 8083
I see the requests arriving at the squid host, but it appears that it
does not use the host specified in the peer parameters but uses the name
of the original request host.
Yes. Exactly so. The client is asking for
https://pfaeffikon.gever.asp.ruf.ch/. Squid will attempt to service that
request.
You have told Squid to only accept requests for the domain m278.asp.ruf.ch.
Amos
