RE: [squid-users] HTTPS sites

From: Fernando Ruza <fernandor@dont-contact.us>
Date: 02 Jun 2003 12:14:49 +0200

Thanks Dubost, great work out. It works properly !!

Just one thing, I don't understand well what this config does. Let me
know if I'm wrong. What I think it does is if I try to access to a SSL
site the proxy doesn't access through the parent proxy by his dns name
it will access through the following parent with IP address (cache_peer
<@IP1>), right ??. So, why I have to write more than one parent proxy
with IP address ??

I suppose that it the first IP address doesn't reply it will use the
second and so on, but it could happen the same, I mean, that one request
goes with the first IP address and other request goes with the second or
third IP address so I would have the same problem in Bank sites for
example. I don't know if you understand what I mean. I would write the
following:

cache_peer <dnsname-an alias to @IP1, @IP2, etc> parent \
                       8080 0 proxy-only default no-query no-digest
cache_peer <@IPx> parent 8080 0 proxy-only default no-query no-digest

acl SSL_port port 443
cache_peer_access <dnsname> deny SSL_port

(Where <@IPx> is the one of the IP addresses of the parent proxy)
In this way, just SSL sites will always go through the same IP paren proxy address.

I don't know, it's just an idea.

Regards,

Fernando.

El vie, 30 de 05 de 2003 a las 10:35, DUBOST Gaetan (DSIT-XA) escribió:
> Hi,
> Try cache_peer_access.
> You can try something like that :
>
> cache_peer <dnsname-an alias to @IP1, @IP2, etc> parent \
> 8080 0 proxy-only default no-query
> cache_peer <@IP1> parent 8080 0 proxy-only default no-query no-digest
> cache_peer <@IP2> parent 8080 0 proxy-only default no-query no-digest
>
> acl SSL_port port 443
> cache_peer_access <dnsname> deny SSL_port
>
> It is better to use a load sharing system that can handle such that kind of
> problem.
>
> Regards.
>
> -----Message d'origine-----
> De : Fernando Ruza [mailto:fernandor@sescam.jccm.es]
> Envoyé : jeudi 29 mai 2003 11:54
> À : Graeme Wood
> Cc : squid-users@squid-cache.org; hno@squid-cache.org
> Objet : Re: [squid-users] HTTPS sites
>
>
> Right Graeme !! that was the problem. I don't know how is the parent
> proxy, but what I know is that it has three IP addresses. What I've done
> is to use just one of the three IP addresses in my squid.conf file
> instead of hostname:
>
> #cache_peer proxy.jclm.es parent 8080 0 proxy-only default no-query
> no-digest
> cache_peer 142.10.1.10 parent 8080 0 proxy-only default no-query
> no-digest
>
> Just one more thing, I suppose that the parent proxy could be a cluster
> or a server machine with three network cards so I'd prefer to use the
> hostname in my 'cache_peer' line in the squid.conf file because maybe in
> that way the server balance the load and it's better in performance. The
> way I've solved the problem I'm always sending all our request to the
> same IP address and maybe that's worse in performance. I don't know.
> Besides, this problem is just for https/ssl (Banks) sites, the rest of
> the https/ssl sites and http (not encrypted) sites are ok using the
> hostname of the parent proxy. Is there any option in the squid.conf file
> to avoid this problem just for the https/ssl sites ??
>
> I'll register the bug, anyway.
>
> Thanks for all your help,
>
> Fernando.
>
>
> El mié, 28 de 05 de 2003 a las 15:57, Graeme Wood escribió:
> > On 28 May 2003, Fernando Ruza wrote:
> >
> > > Ok Henrik, however it happens the same with my Mozilla browser (mozilla
> > > 1.3) from my linux laptop box.
> > >
> > > Thanks,
> >
> > Is your proxy a cluster of machines or are you using a parent proxy that
> > may be a cache cluster? Some banks will check that the connection is
> > coming from the same IP address, and if you are going through a cache
> > cluster, subsequent connection attempts may be coming from different IP
> > addresses.
> >
> > Cheers
> > Graeme
> --
> Yo uso software libre, ¿Y tu?
> ¿Qué es el software libre? consulta:
> http://www.gnu.org/philosophy/free-sw.es.html
>
> Fernando Ruza
> e-mail: feruza@terra.es
> Tlf: 661123845
> Yahoo! Messenger id: fruza
> Linux user: #273644 (http://counter.li.org)
> Debian Sid (Kernel 2.4.20 & ext3)
>
> "In an internet without fences ... who needs 'gates'"

--
Yo uso software libre, ¿Y tu?
¿Qué es el software libre? consulta: http://www.gnu.org/philosophy/free-sw.es.html
Fernando Ruza
e-mail: feruza@terra.es
Tlf: 661123845
Yahoo! Messenger id: fruza
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.4.20 & ext3)
"In an internet without fences ... who needs 'gates'"
Received on Mon Jun 02 2003 - 02:15:42 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:12 MST