Re: [squid-users] reverse proxy https -> http and redirect request from server from Wojciech Durczyński on 2008-05-12 (squid-users)

From: Wojciech Durczyński <Wojciech.Durczynski@dont-contact.us>
Date: Mon, 12 May 2008 10:14:56 +0200

Thanks for your answer.
I tried this, but it doesn't solve my problem.
Web server should be hidden from outer network. But when using
defaultsite - client tries to connect with this server directly!
Redirect requests from server aren't changed by squid when passed to
client. And they should be.
Using dummy ssl port on the web server works well, but squid should
allow redirecting https->http without problems.

Henrik Nordstrom pisze:
> On tis, 2008-05-06 at 11:37 +0200, Wojciech Durczyński wrote:
>
>
>> I try to set squid as a reverse proxy. Clients should connect via https,
>> and originserver is via http.
>>
>
> Tricky, unless your web server supports having an ssl frontend.. See the
> front-end-https cache_peer option.
>
>
>
>> https_port 3129 accel vport protocol=http cert=/root/private/cacert.pem
>> key=/root/private/privkey.pem
>>
>
> The above should be
>
> https_port 3129 accel defaultsite=your.website.name
> cert=/root/private/cacert.pem key=/root/private/privkey.pem
>
>
>> Client shouldn't know anything about address of webserver.
>> It works well unless webserver generate
>> HTTP/1.0 302 Moved Temporarily
>> Location: http://neons_ip:3129/sth
>>
>
> neons_ip:3129 is due to your use of vport. vport makes Squid forward the
> url as http://ip.of.http.port:portnumber/path and many web servers pick
> this up from the Host header.
>
> If you instead set defaultsite=your.website.name the Host header will be
> the public website name and your webserver will think the proper URL for
> the request is http://your.website.name/path
>
> With front-end-https the webserver additinally has a chance (if it
> supports the feature) to understand that there is an frontend SSL server
> taking care of the SSL part and that the requested protocol really is
> https even if the web server received the request over plain http.
>
> If your web server do not support frontend SSL servers then it's often
> better to set up a dummy ssl port on the web server, using a self-signed
> certificate and have the https content there.
>
> Regards
> Henrik
>
>
>
Received on Mon May 12 2008 - 08:15:01 MDT

This archive was generated by hypermail 2.2.0 : Tue May 13 2008 - 12:00:03 MDT