Apologies, this does actually seem to work perfectly fine for a "normal" site, but does not like CDN hosted sites - I am cool with that. Last question though - how do I stop host headers from being forwarded? Should I set act_as_origin? Or use defaultsite? Thanks! On Wed, May 14, 2014 at 6:27 PM, Nico Snyman <snyman.nico@xxxxxxxxx> wrote: > Apologies, this does actually seem to work perfectly fine for a "normal" > site, but does not like CDN hosted sites - I am cool with that. > > Last question though - how do I stop host headers from being forwarded? > Should I set act_as_origin? Or use defaultsite? > > Thanks! > Nico > > > On Wed, May 14, 2014 at 5:44 PM, Nico Snyman <snyman.nico@xxxxxxxxx> wrote: >> Hi Amos, >> >> (apologies for being very verbose - hoping that my poor efforts can >> help someone else once it ends up in the archives) >> >> To make sure not to muddle things up - I have removed the https bits for >> now. >> >> Also to make clear what is what, I have done the following (using fake >> "outside" domain localhost.com) >> >> 1. added localhost.com pointing to loopback in hosts on the squid host >> 2. added localhost.com in hosts of the connecting PC (browser PC), >> pointing to squid host >> >> I have then adjusted my squid.conf to read as follows: >> >> ... >> http_port 80 accel defaultsite=localhost.com >> cache_peer google.com parent 80 0 no-query no-digest originserver >> name=myAccel1 >> acl our_sites dstdomain localhost.com >> http_access allow our_sites >> cache_peer_access myAccel1 allow our_sites >> ... >> >> Browser connects to localhost.com:80, and Squid fetches data from >> google.com and present is as if it was content from localhost.com - >> and this works perfectly as expected. >> >> Now, if I want to do the same, but use SSL. My squid.conf now looks like >> this: >> >> ... >> https_port 443 accel cert=/etc/squid3/squid.crt >> key=/etc/squid3/squid.key defaultsite=localhost.com >> cache_peer google.com parent 443 0 no-query no-digest originserver ssl >> sslflags=DONT_VERIFY_PEER name=myAccel >> acl our_sites dstdomain localhost.com >> >> http_access allow our_sites >> cache_peer_access myAccel allow our_site >> ... >> >> This does not work, I get in access.log: >> 127.0.0.1 TCP_MISS_ABORTED/000 0 GET https://localhost.com/ - >> FIRSTUP_PARENT/xxx.xxx.xxx.xxx - >> >> (Note the xxx above are substitudes for a real IP, I am not *actually* >> using google.com) >> >> I think I am missing something rather obvious here - and I think it >> might have something to do with the parent cert? >> >> Any ideas please? >> >> Thanks! >> >> On Tue, May 13, 2014 at 6:53 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >> wrote: >>> On 14/05/2014 4:34 a.m., Nico Snyman wrote: >>>> Hi guys, >>>> >>>> I am trying to set up an https reverse proxy to cache and proxy a data >>>> feed from a 3rd party. >>>> >>>> At the moment, as a POC inside a VirtualBox VM, I am simply trying to >>>> reverse proxy https://localhost to fetch https://www.google.com (or >>>> any other https site). >>>> >>> >>> The Right Way(tm) to test is with hosts file entry standing in for >>> public DNS. >>> >>> /etc/hosts: >>> 127.0.0.1 google.com >>> >>> ... and making sure the proxy configuration is correct ... >>> >>> /etc/squid/squid.conf: >>> ... >>> https_port 443 accel defaultsite=google.com cert=... >>> http_port 80 accel defaultsite=google.com >>> ... >>> cache_peer google.com parent 443 0 originserver ssl ... >>> ... >>> acl our_sites dstdomain google.com >>> acl port443 myportname 443 >>> acl port80 myportname 80 >>> cache_peer_access myAccel allow port443 our_sites >>> cache_peer_access myAccel1 allow port80 our_sites >>> http_access allow our_sites >>> http_access deny all >>> ... >>> >>> >>> >>>> Unfortunately, I consistently get the following: >>>> >>>> kid1| TCP connection to www.google.com/443 failed >>>> kid1| WARNING: HTTP: Invalid response: No object data received for >>>> https://localhost/ AKA localhost/ >>>> >>>> In a browser this is a "Zero Sized Reply" message. >>>> >>>> My squid.conf as follows: >>>> >>>> acl SSL_ports port 443 >>>> acl Safe_ports port 80 # http >>>> acl Safe_ports port 21 # ftp >>>> acl Safe_ports port 443 # https >>>> acl Safe_ports port 70 # gopher >>>> acl Safe_ports port 210 # wais >>>> acl Safe_ports port 1025-65535 # unregistered ports >>>> acl Safe_ports port 280 # http-mgmt >>>> acl Safe_ports port 488 # gss-http >>>> acl Safe_ports port 591 # filemaker >>>> acl Safe_ports port 777 # multiling http >>>> acl CONNECT method CONNECT >>>> https_port 443 accel cert=/etc/squid3/squid.crt >>>> key=/etc/squid3/squid.key defaultsite=localhost >>>> http_port 80 accel defaultsite=localhost >>>> cache_peer www.google.com parent 443 0 no-query no-digest originserver >>>> name=myAccel >>>> cache_peer www.google.com parent 80 0 no-query no-digest originserver >>>> name=myAccel1 >>>> acl our_sites dstdomain localhost >>>> http_access allow our_sites >>>> cache_peer_access myAccel allow our_sites >>>> cache_peer_access myAccel1 allow our_sites >>>> http_access deny !Safe_ports >>>> http_access deny CONNECT !SSL_ports >>>> http_access allow localhost manager >>>> http_access deny manager >>>> http_access allow localhost >>>> http_access deny all >>>> access_log daemon:/squid3_logs/access.log squid >>>> cache_store_log daemon:/squid3_logs/store.log >>>> cache_log /squid3_logs/cache.log >>>> coredump_dir /var/spool/squid3 >>>> refresh_pattern ^ftp: 1440 20% 10080 >>>> refresh_pattern ^gopher: 1440 0% 1440 >>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >>>> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 >>>> refresh_pattern . 0 20% 4320 >>>> >>>> Anybody have any ideas? I for the life of me cannot figure it out, and >>>> haven't been able to find relevant help in the archives. >>>> >>>> Squid version: squid3-3.3.8 >>>> Ubuntu 13.10 inside Virtualbox 4.3.6 >>>> >>>> >>>> >>>> Thank you! >>>> >>> >
