Re: [squid-users] reverse proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 10 Dec 2009 11:01:00 +1300

On Wed, 09 Dec 2009 13:42:47 +0100 (CET), Ludovit Koren
<ludovit_koren_at_tempest.sk> wrote:
> Amos Jeffries <squid3_at_treenet.co.nz> writes:
>
>> On Tue, 08 Dec 2009 15:31:07 +0100 (CET), Ludovit Koren
>> <ludovit_koren_at_tempest.sk> wrote:
>>> Amos Jeffries <squid3_at_treenet.co.nz> writes:
>>>
>>>> On Mon, 07 Dec 2009 17:59:22 +0100, Ludovit Koren
>>>> <Ludovit_Koren_at_tempest.sk> wrote:
>>>>> Hi,
>>>>>
>>>>> I have Debian Linux and Squid Version 2.7.STABLE3. As I understand
>>>>> from the documentation, there was some change in the version and I
did
>>>>> not find relevant information on the net.
>>>>
>>>> NP: Please use the latest Squid version available, 2.7.STABLE7 is
>>>> available in backports if you need to.
>>>>
>>>>>
>>>>> I have the following scenario:
>>>>>
>>>>> client - https - squid - https - server1
>>>>> client - https - squid - http - server2
>>>>>
>>>>
>>>> Use this for reference:
>>>> http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting
>>>>
>>>>>
>>>>> This is what I added to the squid.conf
>>>>>
>>>>> http_port 80 accel defaultsite=dflt1.domain.sk vhost
>>>>
>>>> This configures:
>>>>
>>>> Client - HTTP -> Squid.
>>>>
>>>> Which I note is missing from your specs. If your specs were right
then
>>>> drop this and only use the https_port directive below.
>>>>
>>>
>>> yes, it is right. I am using it as reverse proxy for both HTTP and
HTTPS
>>>
>>>>
>>>>> https_port 443 cert=/etc/squid/ssl.crt key=/etc/squid/ssl.key
>>>>> defaultsite=dflt1.domain.sk vhost
>>>>>
>>>>> acl webmail dstdomain webmail.domain.sk
>>>>>
>>>>> cache_peer dflt1.domain.sk parent 80 0 no-query originserver
>>>>
>>>> Missing: name=dflt1
>>>>
>>>>
>>>
>>> when I copied it, it has lost, I have the parameter there, sorry
>>>
>>>>> cache_peer dflt1.domain.sk parent 443 0 no-query ssl
>>>>> sslflags=DONT_VERIFY_PEER front-end-https
>>>>> name=dflt1
>>>>
>>>>> cache_peer webmail.domain.sk parent 80 0 no-query originserver
>>>> name=dflt2
>>>>>
>>>>>
>>>>> cache_peer_access dflt2 allow webmail
>>>>
>>>> Missing:
>>>> cache_peer_access dflt2 deny all
>>>>
>>>> cache_peer_access dflt1 allow !webmail
>>>>
>>>
>>> I have added your suggested lines
>>>
>>>> Also missing:
>>>> * list of domains to be passed to dflt1
>>>> * http_access lines to permit valid domain traffic to enter Squid.
>>>>
>>>>>
>>>>> According to log the redirection is either all the time http or
https
>>>>> (if i add protocol=http to the configuration above):
>>>>>
>>>>> 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET
>>>>> https://webmail.domain.sk/ - DIRECT/
>>>>> X.X.X.X text/html
>>>>>
>>>>>
>>>>>
>>>>> How can I configure squid as https reverse proxy and one page
redirect
>>>> to
>>>>> the https backend server and the second page redirect to the http
>>>>> backend server?
>>>>
>>>> What you had configured above is a reverse proxy which accepts both
>> HTTP
>>>> and HTTPS connections. Then passes all requests to
dflt1.domain.sk:80.
>>>>
>>>> If dflt1.domain.sk:80 became available or overloaded the
>>>> webmail.domain.sk
>>>> traffic would be pushed to dflt1.domain.sk:443 and the non-webmail.*
>>>> traffic would be dropped with an error.
>>>
>>> As I posted above, the traffic is pushed to correct host
>>> (webmail.domain.sk), but to the https and I need it to push to
>>> http. Everything else is working as I expect...
>>>
>>>
>>> Regards,
>>>
>>> lk
>>
>> Sorry I overlooked that you had two dflt1.* links; name= MUST be unique
>> for each cache_peer line.
>>
>> So...
>>
>> cache_peer dflt1.domain.sk parent 80 0 no-query originserver
>> name=dflt1-80
>> cache_peer dflt1.domain.sk parent 443 0 no-query ssl
>> sslflags=DONT_VERIFY_PEER front-end-https name=dflt1-443
>>
>> acl HTTP proto HTTP
>> cache_peer_access dflt1-80 allow HTTP !webmail
>> cache_peer_access dflt1-80 deny all
>>
>> acl HTTPS proto HTTPS
>> cache_peer_access dflt1-443 allow HTTPS !webmail
>> cache_peer_access dflt1-443 deny all
>>
>
> I must miss something. I have edited and added everything you wrote
> and still I get above line:
>
>
> 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET
> https://webmail.domain.sk/ - DIRECT/X.X.X.X text/html
>
> and not http://webmail.domain.sk/
>

I see we have some flags missing.

Try:
 "accel" on the https_port.
 "originserver" on the cache_peer for HTTPS.

Amos
Received on Wed Dec 09 2009 - 22:01:04 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 10 2009 - 12:00:01 MST