OK Amos.
Thanks for your fast response.
David Benach.
A 11.06.2012 12:39, Amos Jeffries escrigué:
On 11/06/2012 9:53 p.m., David Benach wrote:
Hello all. We have a squid 3.0.STABLE15 used as reverse proxy on a
SUSE
SLES 11 SP0. This squid serves the Internet access to some of our
portals. The communication with the webservers is in HTTP and, for
one
of the domains, the squid serves an SSL certificate bought to a
known
CA By the moment, all works fine and we have not problems about
operation. Now, we need to enable HTTPS communication from another
domain but without using (and buying) another SSL certificate
because
we want to change this URL in the browser by the one who works in
HTTPS
correctly. The URL redirection is going well, but a
ssl_error_bad_cert_domain appears in the web browser because the SSL
certificate had been read before. Is it possible to do the
redirection
before the SSL certificate has been readed? We have been searching
for
a solution with no positive result. Can you help us?
No. The connection setup has a specific order:
* TCP handshake
* TLS certificate exchange
- (connection is now ready for use)
* HTTP request
* HTTP response (redirect)
...
You cannot place the redirect before the HTTP request, and that
request
required the TLS to be completed first.
This is an extract of the actual configuration (the redirection
works
but the cert error appears on the client): http_port 80 vhost
defaultsite=www.domain1.com [1] https_port 443 vhost
defaultsite=www.domain1.com [2]
key=/etc/ssl/certs/unencrypt_vsdomain1.key
cert=/etc/ssl/certs/vsdomain1.cert
capath=/etc/ssl/certs/intermediateCA.cert
All domains servied by Squid on port 443 are sharing this one
certificate.
You can make the certificate a wildcard certificate covering mutiple
sub-domians. Or open several specific IP:port for Squid to listen on
with different certificates. One domain resolving to each of thise
IP:port's.
Amos
Links:
------
[1] http://www.domain1.com
[2] http://www.domain1.com
