Hi Alex, and all others
No I have set it for multiple domains, and it works really fine. Again
many thanks.
But I have a new demand:
Within one of the sites, where squid handles the https connexion then
communicate with internal VM through http, there is one (at least, maybe
we will find others), I don't kmow why, but the dev want them http only.
When I come to the menu to this page, the app returns a http:// link to
squid. Squid encrypts and send a https:// to the browser., but then when
the user hit the link, somme of the components of the page should stay
http://, and there the browser detects a https page with http components
embeded, and block them.
Is there a way to tell squid to let http some link?
My domain is domain.tld:
the browser ask for https://domain.tld
squid decrypt, recognize this domain, according to acl goes to the VM1,
in http:// mode, not crypted.
The site on VM1, return a page in http:// mode, with all links as http
too, and squid send it back crypted to the browser with all links
embeded in https://
I want a special link on the page http://domain.tld/special/ to stay http.
How I can instruct squid to leave it as it is, but all others?
Thanks
Patrick
Le 17/11/2016 à 20:11, Patrick Chemla a écrit :
Hi Alex, sorry for disturbing, but it works with
https_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com
cert=/etc/squid/ssl/semplixxxx.com.crt
key=/etc/squid/ssl/semplixxxx.com.key
Many, many, many Thanks for valuable help.
Patrick
Le 17/11/2016 à 19:48, Patrick Chemla a écrit :
Hi Alex,
I followed the
http://wiki.squid-cache.org/SquidFaq/ReverseProxy
I am getting errors when trying to connect. What could it be?
This is the config: Is there something bad there?
======================================
debug_options ALL,1 33,2 28,9
http_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com
cert=/etc/squid/ssl/semplixxxx.com.crt
key=/etc/squid/ssl/semplixxxx.com.key
cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5
name=SEMP1
cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5
name=SEMP2
acl w3_semplixxxx dstdomain .semplixxxx.com
cache_peer_access SEMP1 allow w3_semplixxxx
cache_peer_access SEMP1 deny all
http_access allow w3_semplixxxx
=====================================
$ wget https://www.semplixxxx.com
--2016-11-17 19:34:49-- https://www.semplixxxx.com/
Résolution de www.semplitech.com (www.semplixxxx.com)… xxx.xxx.xxx.xxx
Connexion à www.semplitech.com
(www.semplixxxx.com)|xxx.xxx.xxx.xxx|:443… connecté.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol
Incapable d'établir une connexion SSL.
Same error with the browser
=========================================
THis is what I have in access_log file:
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
===========================================
This is what I have in cache.log:
2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup:
id=0xf55ca8ed404 query ARP table
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup:
id=0xf55ca8ed404 query ARP on each interface (480 found)
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface lo
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:1
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:4
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:5
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:6
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:7
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:8
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface virbr0
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0
2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup:
id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found
2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660
2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660
2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583)
clientProcessRequest: clientProcessRequest: Invalid Request
2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong:
local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1
2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck:
0x78737acd23c0 checking fast ACLs
2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking
access_log daemon:/var/log/squid/access.log
2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking
(access_log daemon:/var/log/squid/access.log line)
2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked:
(access_log daemon:/var/log/squid/access.log line) = 1
2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked:
access_log daemon:/var/log/squid/access.log = 1
2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(63) markFinished:
0x78737acd23c0 answer ALLOWED for match
2016/11/17 18:35:30.754 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd23c0
2016/11/17 18:35:30.754 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x78737acd23c0
2016/11/17 18:36:15.609 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
2016/11/17 18:36:15.609 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
Thanks for help
Patrick
Le 16/11/2016 à 20:16, Patrick Chemla a écrit :
Many Thanks Alex. I will try in the next hours and let you if I am
successful.
Patrick
Le 16/11/2016 à 20:04, Alex Crow a écrit :
On 16/11/16 17:33, Patrick Chemla wrote:
Thanks for your answers, I am not doing anything illegal, I am
trying to
build a performant platform.
I have a big server running about 10 different websites.
I have on this server virtual machines, each specialized for one-some
websites, and squid help me to send the traffic to the destination
website on the internal VM according to the URL.
Some VMs are paired, so squid will loadbalance the traffic on
group of
VMs according to the URL/acls.
All this works in HTTP, thanks to Amos advices few weeks ago.
Now, I need to set SSL traffic, and because the domains are
different I
need to use different IPs:443 to be able to use different
certificates.
I tried many times in the past to make squid working in SSL and never
succeed because of so many options, and this question: Does the
traffic
between squid and the backend should be SSL? If yes, it's OK for me.
nothing illegal.
The second question: How to set up the SSL link on squid getting
the SSL
request and sending to the backend. Actually the backend can
handle SSL
traffic, it's OK for me if I find the way to make squid handle the
traffic, according to the acls. squid must decrypt the request,
compute
the acls, then re-crypt to send to the backend.
The reason I asked not to reencrypt is because of performances.
All this
is on the same server, from the host to the VMs and decrypt, the
reencrypt, then decrypt will be ressources consumming. But I can
do it
like that.
Now, do you have any Howto, clear, that will help? I found many on
Google and not any gave me the solution working.
The other question is about Trusted Certificates. We have on the
websites trusted certificates. Should we use the same on the squid?
Thanks for appeciate help
Patrick
You are using a reverse proxy/web accelerator setup. Nothing you do
there will be illegal if you're using it for your own servers! You
should be able to use HTTP to the backend and just offer HTTPS from
squid. This will avoid loading the backend with encryption cycles. You
don't need any certificate generation as AFAIK you already have all
the
certs you need.
See:
http://wiki.squid-cache.org/SquidFaq/ReverseProxy
for starters. You can adapt the wildcard example; if you have specific
certs for each domain, just listen on a different IP for each
domain and
set up multiple https_port with a different listening IP for each
site.
If you have a wildcard cert, ie *.mydomain.com, follow it directly.
Here's a couple more:
http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy
(I found the above with a simple google for "squid reverse ssl proxy".
Google is your friend here... )
http://www.squid-cache.org/Doc/config/https_port/
That's as far as my knowledge goes on reverse in Squid, at my site we
use nginx.But AFAIK if you're doing what I think you're doing that
should be enough. Squid does have a lot of config parameters, but then
so does any other fully capable proxy server. Just focus on the parts
you need for your role and it will be much easier. Specifically ignore
bump/peek+splice, it's just for forward proxy.
Alex
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users