Re: [squid-users] http AND https accel for the same host? from Rob Squid on 2007-02-15 (squid-users)

From: Rob Squid <rob.squid@dont-contact.us>
Date: Thu, 15 Feb 2007 11:18:32 -0600

Thanks for clarifying that up Henrik! I have another problem
regarding this though. This is what I have in squid.conf:

acl CP_HTTP proto HTTP
acl CP_HTTPS proto HTTPS

# Site1
acl CP_Site1 dstdomain site1.domain.com
http_port 172.30.5.5:80 accel vhost
https_port 172.30.5.5:443 accel vhost
cert=/etc/ssl/squidCerts/site1.crt key=/etc/ssl/squidCerts/site1.key
cache_peer 10.1.5.5 parent 80 0 no-query login=PASS originserver
connection-auth=on name=site1
cache_peer_access site1 deny !CP_Site1 !CP_HTTP
cache_peer 10.1.5.5 parent 443 0 no-query ssl
sslflags=DONT_VERIFY_PEER front-end-https login=PASS originserver
name=site1_ssl
cache_peer_access site1_ssl deny !CP_Site1 !CP_HTTPS

# site2
acl CP_Site2 dstdomain site2.domain.com
http_port 172.30.5.61:80 accel vhost
https_port 172.30.5.6:443 accel vhost
cert=/etc/ssl/squidCerts/site2.crt key=/etc/ssl/squidCerts/site2.key
cache_peer 10.1.5.6 parent 80 0 no-query login=PASS originserver
connection-auth=on name=site2
cache_peer_access site2deny !CP_Site2 !CP_HTTP
cache_peer 10.1.5.6 parent 443 0 no-query ssl
sslflags=DONT_VERIFY_PEER front-end-https login=PASS originserver
name=site2_ssl
cache_peer_access site2_ssl deny !CP_Site2 !CP_HTTPS

My problem is in that when I try to hit site2.domain.com, it always
goes to the page for site1.domain.com. I know theres something up
with the cache_peer_access rules, but I cant figure it out. I RTFM
and searched and cant find the answer. Conversely, if I clear the
cache and then put site2 config before site1 in squid.conf and try to
hit site1, Ill get the page for site2. I also tried using something
like this:

cache_peer_access site1 allow CP_Site1 CP_HTTP
cahce_peer_access site1 deny all

But squid reports a bungled line msg on the deny all line. Any ideas?

-Rob

On 2/14/07, Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
> ons 2007-02-14 klockan 11:27 -0600 skrev Rob Squid:
>
> > I have some hosts that I am accelerating
> > http and https traffic on the same host. Do I need to have a
> > cache_peer line for both http and https?
>
> You need a cache_peer per backend server:port you want Squid to forward
> request to.
>
> > How can I differeniate the two?
>
> By assigning names to the cache_peer lines (name= option), and using
> cache_peer_access to select what gets forwarded where.
>
> > acl CP_Port port 80
> > acl CP_Port_SSL port 443
>
> I would use protocol instead, but that's me..
>
> > http_port 172.30.5.5:80 accel vhost
> > https_port 172.30.5.5:443 accel vhost cert=/etc/ssl/squidCerts/cert.crt key=/etc/ssl/squidCerts/key.key
> > acl CP_Site dstdomain site.domain.com
> > cache_peer 192.168.5.5 parent 80 0 no-query login=PASS originserver connection-auth=on name=site
> > cache_peer_access site allow CP_Site CP_Port
> > cache_peer 192.168.5.5 parent 443 0 no-query ssl sslflags=DONT_VERIFY_PEER front-end-https name=site_ssl
> > cache_peer_access site_ssl allow CP_Site CP_Port_SSL
>
> Looks reasonable to me.
>
> Regards
> Henrik
>
>
Received on Thu Feb 15 2007 - 10:18:43 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST