On 11/06/2012 9:53 p.m., David Benach wrote:
Hello all.
We have a squid 3.0.STABLE15 used as reverse proxy on a SUSE SLES 11
SP0. This squid serves the Internet access to some of our portals. The
communication with the webservers is in HTTP and, for one of the
domains, the squid serves an SSL certificate bought to a known CA
By the moment, all works fine and we have not problems about operation.
Now, we need to enable HTTPS communication from another domain but
without using (and buying) another SSL certificate because we want to
change this URL in the browser by the one who works in HTTPS correctly.
The URL redirection is going well, but a ssl_error_bad_cert_domain
appears in the web browser because the SSL certificate had been read
before.
Is it possible to do the redirection before the SSL certificate has
been readed? We have been searching for a solution with no positive
result. Can you help us?
No. The connection setup has a specific order:
* TCP handshake
* TLS certificate exchange
- (connection is now ready for use)
* HTTP request
* HTTP response (redirect)
...
You cannot place the redirect before the HTTP request, and that request
required the TLS to be completed first.
This is an extract of the actual configuration (the redirection works
but the cert error appears on the client):
http_port 80 vhost defaultsite=www.domain1.com
https_port 443 vhost defaultsite=www.domain1.com
key=/etc/ssl/certs/unencrypt_vsdomain1.key
cert=/etc/ssl/certs/vsdomain1.cert
capath=/etc/ssl/certs/intermediateCA.cert
All domains servied by Squid on port 443 are sharing this one certificate.
You can make the certificate a wildcard certificate covering mutiple
sub-domians. Or open several specific IP:port for Squid to listen on
with different certificates. One domain resolving to each of thise
IP:port's.
Amos
