RE: [squid-users] HTTPS sites

From: DUBOST Gaetan (DSIT-XA) <Gaetan.DUBOST@dont-contact.us>
Date: Fri, 30 May 2003 10:35:03 +0200

Hi,
Try cache_peer_access.
You can try something like that :

cache_peer <dnsname-an alias to @IP1, @IP2, etc> parent \
                               8080 0 proxy-only default no-query
cache_peer <@IP1> parent 8080 0 proxy-only default no-query no-digest
cache_peer <@IP2> parent 8080 0 proxy-only default no-query no-digest

acl SSL_port port 443
cache_peer_access <dnsname> deny SSL_port

It is better to use a load sharing system that can handle such that kind of
problem.

Regards.

-----Message d'origine-----
De : Fernando Ruza [mailto:fernandor@sescam.jccm.es]
Envoyé : jeudi 29 mai 2003 11:54
À : Graeme Wood
Cc : squid-users@squid-cache.org; hno@squid-cache.org
Objet : Re: [squid-users] HTTPS sites

Right Graeme !! that was the problem. I don't know how is the parent
proxy, but what I know is that it has three IP addresses. What I've done
is to use just one of the three IP addresses in my squid.conf file
instead of hostname:

#cache_peer proxy.jclm.es parent 8080 0 proxy-only default no-query
no-digest
cache_peer 142.10.1.10 parent 8080 0 proxy-only default no-query
no-digest

Just one more thing, I suppose that the parent proxy could be a cluster
or a server machine with three network cards so I'd prefer to use the
hostname in my 'cache_peer' line in the squid.conf file because maybe in
that way the server balance the load and it's better in performance. The
way I've solved the problem I'm always sending all our request to the
same IP address and maybe that's worse in performance. I don't know.
Besides, this problem is just for https/ssl (Banks) sites, the rest of
the https/ssl sites and http (not encrypted) sites are ok using the
hostname of the parent proxy. Is there any option in the squid.conf file
to avoid this problem just for the https/ssl sites ??

I'll register the bug, anyway.

Thanks for all your help,

Fernando.

El mié, 28 de 05 de 2003 a las 15:57, Graeme Wood escribió:
> On 28 May 2003, Fernando Ruza wrote:
>
> > Ok Henrik, however it happens the same with my Mozilla browser (mozilla
> > 1.3) from my linux laptop box.
> >
> > Thanks,
>
> Is your proxy a cluster of machines or are you using a parent proxy that
> may be a cache cluster? Some banks will check that the connection is
> coming from the same IP address, and if you are going through a cache
> cluster, subsequent connection attempts may be coming from different IP
> addresses.
>
> Cheers
> Graeme

--
Yo uso software libre, ¿Y tu?
¿Qué es el software libre? consulta:
http://www.gnu.org/philosophy/free-sw.es.html
Fernando Ruza
e-mail: feruza@terra.es
Tlf: 661123845
Yahoo! Messenger id: fruza
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.4.20 & ext3)
"In an internet without fences ... who needs 'gates'"
Received on Fri May 30 2003 - 02:35:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:07 MST