[squid-users] Re: Secure connections with accelerator cache

From: Brian Mearns <bmearns_at_ieee.org>
Date: Tue, 3 Nov 2009 21:41:46 -0500

On Tue, Nov 3, 2009 at 1:16 PM, Brian Mearns <bmearns_at_ieee.org> wrote:
> Several scripts on my server respond differently based on whether or
> not they are being accessed with a secure connection. I set up Squid
> as an accelerator-cache (reverse proxy) in front of this server, and
> all of a sudden these scripts don't detect the secure connection. I
> assume Squid is connecting to them over an unsecured connection even
> though it is accepting the secure connections. Can someone tell me how
> to set up squid to connect securely, or give me hints on which
> directives I should look at? I'm not using client certs or anything,
> so that's not an issue.
>
> Thanks,
> -Brian

Well, I found a solution, though I'm not sure it's the correct way to
do it. In addition to adding a separate cache_peer the uses SSL and
connects on port 443, I also set up cache_peer_access rules that only
allow each cache_peer to be used for the correct connection type. If
anyone can comment on this (whether or not it's a good way to do it,
or if there are other/better/more-common ways to do it), I would very
much appreciate it.

#Set up an unsecured port to work in accelerator/reverse proxy mode.
 http_port 3128 accel defaultsite=brianpmearns.com vhost

 #Set up a secure port to work in accelerator/reverse proxy mode.
 https_port 3129 cert=/opt/apache2/conf/ssl/cert.pem
key=/opt/apache2/conf/ssl/privkey.pem accel
defaultsite=brianpmearns.com vhost

 ###These were the key lines for getting the proxy to connect to the
server with HTTPS...

 #First, define two different "peer" "caches", the first for secure
connections, the second for unsecure.
 cache_peer localhost parent 443 0 no-query originserver login=PASS
ssl name=secureLocalhost sslflags=DONT_VERIFY_PEER
 cache_peer localhost parent 80 0 no-query originserver login=PASS
name=unsecureLocalhost

 #Second, define a new ACL called "https" which is used for HTTPS
protocol requests. Likewise for HTTP.
 acl https proto HTTPS
 acl http proto HTTP

 #Now, only allow it to connect to the secureLocalhost "peer" for
secure connections.
 cache_peer_access secureLocalhost allow https
 cache_peer_access secureLocalhost deny !https

 #And just to be safe, make sure it can't choose the unsecured "peer"
for secure connections.
 cache_peer_access unsecureLocalhost allow http
 cache_peer_access unsecureLocalhost deny https

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net
Received on Wed Nov 04 2009 - 02:42:14 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 04 2009 - 12:00:03 MST