On Tue, 24 Aug 2004, Brad Taylor wrote:
> This should be the public domain name.
>
> -- I'm using it for testing. Will it work OK for testing?
Depends on your web server.
This has effect on what the Host header will be when the request is
forwarded to your web server.
> will "httpd_accel_with_proxy off" still use reverse cache? I only
> want squid to cache the accelerated web site.
Yes.
> why this? Does your web server require a the use of a client certificate
> to access the server?
>
> -- Yes, client has to use https.
Yes, but does clients accessing your https:// backend web server directly
have to present a presonal SSL certificate for authentication purposes to
your web server?
> Most likely you web server redirects the user back to 192.168.60.100.
>
> -- Why? Everything looks to be setup correctly, right? I've seen
> cach_peer talked about with SSL. Is that only for multiple Squid boxes?
Web servers very often sends redirects. When they do these redirects
contain the exact full URL the web server thinks it is it's public name
and how it is supposed to be accessed.
When there is a mismatch between how the web server thinks it is supposed
to be accessed and real life (i.e. due to a reverse proxy infront) extreme
care needs to be taken to make sure the web servers idea of how it is
supposed to be addressed does not leak out to the user.
A trivial example is when you request a directory, but do not include the
trailing slash.
I.e. if index.html is the default index page configured on your server and
the server has the page http://example.com/marketing/index.html if the
user then request http://example.com/marketing (not
http://example.com/marketing/) the web server will send a redirect telling
the browser "to get the page you have requested you must go to
http://example.com/marketing/"
If you then have a reverse proxy infront of this listening on another
server name such as http://www.exampel.org/ then this redirect will move
the user off from the reverse proxy to trying to access
http://example.com/marketing/ directly.
To make things worse many dynamic applications (CGI, ASP or whatever
dynamic technology) quite often renders absolute URLs into the returned
HTML code with what the application thinks is the public URL in how the
application is supposed to be addressed. This means that even if the user
accessed http://www.example.org/economy_db/ it may be the case that the
HTML content returned by the application running there will contain
absolute links to http://example.com/economy_db/
>> "log_mime_hdrs on", and study access logs of both Squid and you web
>> servers.
>
> 1093381355.430 21 192.168.60.154 TCP_MISS/302 492 GET
> http://192.168.60.100/ - DIRECT/192.168.60.100 text/html
This is not with "log_mime_hdrs on".
Regards
Henrik
Received on Wed Aug 25 2004 - 04:29:50 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT