[squid-users] problem to configure reverse proxy

From: Pascal Bourdais <pbourdais_at_chez.com>
Date: Fri, 25 Mar 2011 10:09:34 +0100

Bonjour,

I'm stuck with a reverse proxy config.

I have one http server with 5 sites (http) and 2 https, 1 OWA & RPC
server which also serves logos on port 80.

What I want to do :

(I'm bad at ASCII art, but i give it a try :)

WWW ---- iptables/DNAT --- SQUID --- http 1
                       --- http 2 ...
                       --- https 1 --- http (acl A_gi)
                       --- https 2
                       --- OWA

I wrote this config file, and http seem's OK, but i don't understand
the way https works. I follow the doc at :
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
but it give 1 certificate for 2 sites, and thus the certificat is not
valid when i access the sites.

In the graphic, https 1 has a page with a frame which contains a page
in an other server which is accessed with http (not s).

Thank you for any help.

=== squid.conf ===
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 172.25.53.0/24
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost

include /etc/squid/squid.accel.conf

http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/cache

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_dir ufs /cache 100 16 256
cache_mem 100 MB
maximum_object_size_in_memory 10240 KB
=== end squid.conf ===

=== squid.accel.conf ===
## Sites http
http_port 80 accel defaultsite=A vhost

cache_peer 192.168.13.10 parent 80 0 no-query no-digest originserver
name=serveur1 login=PASS

acl sites_serveur1 dstdomain A B C D E
http_access allow sites_serveur1
cache_peer_access serveur1 allow sites_serveur1
cache_peer_access serveur1 deny all

http_access allow sites_serveur1
miss_access allow sites_serveur1

## Sites https
https_port 443 cert=/usr/local/newrprgate/CertAuth/testcert.cert \
   key=/usr/local/newrprgate/CertAuth/testkey.pem defaultsite=G vhost

acl A_gi urlpath_regex ^/cgams
acl sites_cgams dstdomain G H

cache_peer 192.168.13.10 parent 443 0 no-query no-digest originserver
name=cgams login=PASS cache_peer_access cgams deny A_gi
cache_peer_access cgams allow sites_cgams

cache_peer 192.168.1.21 parent 80 0 no-query no-digest originserver
forceddomain=dom name=gi cache_peer_access gi allow A_gi
cache_peer_access gi deny all

http_access allow sites_cgams
miss_access allow sites_cgams

## Sites OWA
cache_peer 192.168.13.44 parent 80 0 no-query no-digest originserver
name=xxx80 cache_peer 192.168.13.44 parent 443 0 no-query no-digest
originserver connection-auth=on login=PASS front-end-https=on name=xxx

acl OWA dstdomain F
cache_peer_access xxx allow OWA
cache_peer_access xxx80 allow OWA

never_direct allow OWA

http_access allow OWA
miss_access allow OWA

=== squid.accel.conf ===
Received on Fri Mar 25 2011 - 09:11:28 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 25 2011 - 12:00:03 MDT