Re: [squid-users] SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

Hello Amos, all,

Thank you for your response. As far as understanding what you mean I do
(thats something at least) but I fail to see how this will be syntaxed

My config is as follows please advise(this is not working of course):

# NETWORK OPTIONS
#
-----------------------------------------------------------------------------
http_port 80 accel defaultsite=www.domain.com vhost
https_port 443 cert=/etc/squid/uob/sid_domain.crt
key=/etc/squid/uob/sid_domain.key cafile=/etc/squid/uob/sid_domain.ca
defaultsite=sid.domain.com vhost
https_port 443 cert=/etc/squid/uob/helpdesk_domain.crt
key=/etc/squid/uob/helpdesk_domain.key
cafile=/etc/squid/uob/helpdesk_domain.ca defaultsite=helpdesk.domain.com
vhost
visible_hostname www.domain.com
unique_hostname cache1.domain.com
offline_mode off
icp_port 3130
request_body_max_size 32 MB

# OPTIONS WHICH AFFECT THE CACHE SIZE
#
-----------------------------------------------------------------------------
cache_mem 4096 MB
maximum_object_size 8 MB
maximum_object_size_in_memory 256 KB

# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#
-----------------------------------------------------------------------------
cache_dir aufs /var/cache/squid 61440 16 256
emulate_httpd_log on
logfile_rotate 100
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
debug_options ALL,1,33,3,20,3

# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
#
-----------------------------------------------------------------------------
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# OPTIONS FOR TUNING THE CACHE
#
-----------------------------------------------------------------------------
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.css 1440 50% 2880 override-expire
refresh_pattern -i \.swf 1440 50% 2880 ignore-reload
override-expire
refresh_pattern . 1440 50% 4320 override-expire

# ACCESS CONTROLS
#
-----------------------------------------------------------------------------

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# reverce-proxy configuration
#
-----------------------------------------------------------------------------

cache_peer 194.80.213.28 sibling 80 3130 proxy-only no-digest
no-netdb-exchange

cache_peer 10.1.62.230 parent 80 0 no-query originserver no-digest
name=lhdl_cst_srv login=PASS
acl sites_lhdl_cst dstdomain lhdl.cst.domain.com
http_access allow sites_lhdl_cst
cache_peer_access lhdl_cst_srv allow sites_lhdl_cst
cache_peer_access lhdl_cst_srv deny from_cache2
cache_peer_access lhdl_cst_srv deny all

cache_peer 212.219.119.48 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER no-digest name=beweb_srv_ssl login=PASS
acl sites_beweb_ssl dstdomain sid.domain.com
http_access allow sites_beweb_ssl
cache_peer_access beweb_srv_ssl allow sites_beweb_ssl
cache_peer_access beweb_srv_ssl deny from_cache2
cache_peer_access beweb_srv_ssl deny all

cache_peer 10.1.108.15 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER no-digest name=helpdesk_srv_ssl login=PASS
acl sites_helpdesk_ssl dstdomain helpdesk.domain.com
http_access allow sites_helpdesk_ssl
cache_peer_access helpdesk_srv_ssl allow sites_helpdesk_ssl
cache_peer_access helpdesk_srv_ssl deny from_cache2
cache_peer_access helpdesk_srv_ssl deny all

# forward-proxy security restrictions
#
-----------------------------------------------------------------------------

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

http_reply_access allow all
acl from_cache2 src 194.80.213.28
icp_access allow from_cache2
icp_access deny all

# ADMINISTRATIVE PARAMETERS
#
-----------------------------------------------------------------------------

shutdown_lifetime 15 second
httpd_suppress_version_string on
cache_mgr cachemgr_at_domain.com

# ICP OPTIONS
#
-----------------------------------------------------------------------------

log_icp_queries on

# MISCELLANEOUS
#
-----------------------------------------------------------------------------

memory_pools_limit 512 MB

# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
#
-----------------------------------------------------------------------------

coredump_dir /var/spool/squid

EOF

Many thanks again for all your help.

Kind regards,

Nik

On Thu, 2010-07-22 at 01:06 +1200, Amos Jeffries wrote:
> Nikolaos Pavlidis wrote:
> > Hello all,
> >
> > As the subject suggests, I am looking to support multiple ssl sites with
> > different certificates for each one. The only doc that I manage to find
> > is
> > http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
> >
> > which was very helpful to setup the first host but did not provide much
> > on the addition of a second or third one.Any help will be much
> > appreciated. Thank you in advance.
>
> The wildcard certificate handles multiple sites with one certificate. So
> the that config is not what you want. The final part about squid
> configuration is loosely relevant, but...
>
> To use separate certificates for each site configure an https_port on a
> different IP for each site and generate a non-wildcard certificate for
> each of the domain+IP pairs.
>
> After the https_port are setup its normal virtual hosting setup of
> cache_peer and related entries to source the requests. You can follow
> the config on that wildcard cert page, or the VirtualHosting config page.
>
> Amos

-- 
Nikolaos Pavlidis BSc (Hons) MBCS NCLP CEH CHFI
Systems Administrator
University Of Bedfordshire
Park Square LU1 3JU
Luton, Beds, UK
Tel: +441582489277 (Ext 2277)