On tis, 2008-05-06 at 11:37 +0200, Wojciech DurczyĆski wrote:
> I try to set squid as a reverse proxy. Clients should connect via https,
> and originserver is via http.
Tricky, unless your web server supports having an ssl frontend.. See the
front-end-https cache_peer option.
> https_port 3129 accel vport protocol=http cert=/root/private/cacert.pem
> key=/root/private/privkey.pem
The above should be
https_port 3129 accel defaultsite=your.website.name
cert=/root/private/cacert.pem key=/root/private/privkey.pem
> Client shouldn't know anything about address of webserver.
> It works well unless webserver generate
> HTTP/1.0 302 Moved Temporarily
> Location: http://neons_ip:3129/sth
neons_ip:3129 is due to your use of vport. vport makes Squid forward the
url as http://ip.of.http.port:portnumber/path and many web servers pick
this up from the Host header.
If you instead set defaultsite=your.website.name the Host header will be
the public website name and your webserver will think the proper URL for
the request is http://your.website.name/path
With front-end-https the webserver additinally has a chance (if it
supports the feature) to understand that there is an frontend SSL server
taking care of the SSL part and that the requested protocol really is
https even if the web server received the request over plain http.
If your web server do not support frontend SSL servers then it's often
better to set up a dummy ssl port on the web server, using a self-signed
certificate and have the https content there.
Regards
Henrik
Received on Fri May 09 2008 - 00:36:08 MDT
This archive was generated by hypermail 2.2.0 : Tue May 13 2008 - 12:00:03 MDT