Re: [squid-users] HTTPS sites

From: Graeme Wood <Graeme.Wood@dont-contact.us>
Date: Thu, 29 May 2003 15:48:57 +0100 (BST)

On 29 May 2003, Fernando Ruza wrote:

> Right Graeme !! that was the problem. I don't know how is the parent
> proxy, but what I know is that it has three IP addresses. What I've done
> is to use just one of the three IP addresses in my squid.conf file
> instead of hostname:
>
> #cache_peer proxy.jclm.es parent 8080 0 proxy-only default no-query
> no-digest
> cache_peer 142.10.1.10 parent 8080 0 proxy-only default no-query
> no-digest
>
> Just one more thing, I suppose that the parent proxy could be a cluster
> or a server machine with three network cards so I'd prefer to use the
> hostname in my 'cache_peer' line in the squid.conf file because maybe in
> that way the server balance the load and it's better in performance. The
> way I've solved the problem I'm always sending all our request to the
> same IP address and maybe that's worse in performance. I don't know.
> Besides, this problem is just for https/ssl (Banks) sites, the rest of
> the https/ssl sites and http (not encrypted) sites are ok using the
> hostname of the parent proxy. Is there any option in the squid.conf file
> to avoid this problem just for the https/ssl sites ??

Well it hasn't anything to do with https/ssl per se. It has to do with how
some sites authorize their connections and track sessions. Banks commonly
enforce rules such as this as they are naturally paranoid about ensuring
the security of your bank transactions. It is often possible to bypass
parent proxies using acls to avoid problems such as this.

> I'll register the bug, anyway.

I don't think it is a bug, so registering one is probably fruitless.

Cheers.

-- 
=============================================================================
Graeme Wood                                 Email: Graeme.Wood@ed.ac.uk
Unix Systems Support                        Phone: +44 131 650 5003
The University of Edinburgh                 Fax:   +44 131 650 6552
=============================================================================
Received on Thu May 29 2003 - 08:49:13 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:07 MST