Ok, about the firts point... I disabled NAT... now I have my apache server that on :8008 port and my Squid http_port is 80. in my cache_peer 192.168.2.37 parent 8008 0 but when i try to call http://myhost.com/test1 I see the correct page but in the browser url I see: http://myhost.com:8008/test1 is possibile to hide the 8008 port number? Have I to add some options in my cache_peer? 2013/12/5 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 5/12/2013 10:58 p.m., Gianluigi Ruggeri wrote: >> thanks for the reply.. >> >> ok, I changed: >> >> 1) I configurated my iptables in this way: >> >> >> # Generated by iptables-save v1.4.7 on Wed Nov 9 13:37:50 2011 >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [10363:2864591] >> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -p icmp -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> -A INPUT -i eth+ -j ACCEPT >> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT >> -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT >> -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT >> -A INPUT -j REJECT --reject-with icmp-host-prohibited >> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A FORWARD -p icmp -j ACCEPT >> -A FORWARD -i lo -j ACCEPT >> -A FORWARD -i eth+ -j ACCEPT >> -A FORWARD -j REJECT --reject-with icmp-host-prohibited >> COMMIT >> # Completed on Wed Nov 9 13:37:50 2011 >> # Generated by iptables-save v1.4.7 on Wed Nov 9 13:37:50 2011 >> *nat >> :PREROUTING ACCEPT [4:650] >> :POSTROUTING ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3125 >> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 >> COMMIT >> >> >> >> 2) I configurated in squid.conf http_port >> >> http_port 3128 accel >> >> and I added the line: >> >> cache_peer 192.168.2.37 parent 80 0 >> >> Now, If I call : >> - mysite.com -----> It's ok >> - mysite.com/test ---> It's ok but I see in browser url bar : >> mysite.com:3128/test Why?? > > Because you used NAT to get the port 80 traffic to Squid and it passes > the information that your site is served on port 3128 to Apache, that > somehow leaks out to the browser as well. > > It is better just to use "http_port 80 accel" and not have the NAT > iptables NAT rules. > Same for port 443 on the https_port. > > >> >> 3) I configurated in squid.con https_port >> >> https_port 3125 accel cert=/etc/squid/ssl/certificate.pem >> key=/etc/squid/ssl/private.pem >> >> I use Squid 2.6 stable 21 (on CentOS 5) and to enable SLL I have to >> use this command: squid –enable-ssl (Is correct??) Otherwise I not see > > No. You need to have a squid *built* with the ./configure --enable-ssl > option. > > >> the port 3125 in the result of the command: >> >> sudo netstat -anp | grep squid >> >> >> Is necessary to add also cache_peer line about 443 port? How can I add >> an other cache_peer with the same ipAddress? > > cache_peer has a name= option to create two peers with same IP or > hostname but different names. > I'm not sure if that is available in 2.6. You may need to upgrade to a > newer version (http://wiki.squid-cache.org/KnowledgeBase/CentOS). > AFAIK these packages have SSL enabled already, so the upgrade will > solve many problems for you at once. > > > Amos
