On 25/03/11 22:09, Pascal Bourdais wrote:
> Bonjour,
>
> I'm stuck with a reverse proxy config.
>
> I have one http server with 5 sites (http) and 2 https, 1 OWA& RPC
> server which also serves logos on port 80.
>
> What I want to do :
>
> (I'm bad at ASCII art, but i give it a try :)
>
> WWW ---- iptables/DNAT --- SQUID --- http 1
> --- http 2 ...
> --- https 1 --- http (acl A_gi)
> --- https 2
> --- OWA
>
> I wrote this config file, and http seem's OK, but i don't understand
> the way https works.
HTTPS encrypts the entire connection client->Squid just above the TCP
level. Including optionally the client IP:port and destination domain
name in various parts of the security exchange.
> I follow the doc at :
> http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
> but it give 1 certificate for 2 sites, and thus the certificat is not
> valid when i access the sites.
The point of using a wildcard is that is *is* valid for more than one
domain. It says to the client that it is valid for all *.example.com
domains hosted by that server.
If they are not sub-domains then you will need a chained certificate
(X.509 aliases), or a separate port for each HTTPS receiving domain.
>
> In the graphic, https 1 has a page with a frame which contains a page
> in an other server which is accessed with http (not s).
Um, browser warnings arise from this "secure site contains insecure
objects" or similar.
From the Squid point of view they are unrelated objects. So does not
matter.
>
> Thank you for any help.
>
> === squid.conf ===
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
> acl localnet src 172.25.53.0/24
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
>
> include /etc/squid/squid.accel.conf
>
> http_access deny all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> coredump_dir /var/cache
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> cache_dir ufs /cache 100 16 256
> cache_mem 100 MB
> maximum_object_size_in_memory 10240 KB
> === end squid.conf ===
>
> === squid.accel.conf ===
> ## Sites http
> http_port 80 accel defaultsite=A vhost
>
> cache_peer 192.168.13.10 parent 80 0 no-query no-digest originserver
> name=serveur1 login=PASS
>
> acl sites_serveur1 dstdomain A B C D E
> http_access allow sites_serveur1
> cache_peer_access serveur1 allow sites_serveur1
> cache_peer_access serveur1 deny all
>
> http_access allow sites_serveur1
> miss_access allow sites_serveur1
>
Looks good.
>
> ## Sites https
> https_port 443 cert=/usr/local/newrprgate/CertAuth/testcert.cert \
> key=/usr/local/newrprgate/CertAuth/testkey.pem defaultsite=G vhost
>
> acl A_gi urlpath_regex ^/cgams
> acl sites_cgams dstdomain G H
>
> cache_peer 192.168.13.10 parent 443 0 no-query no-digest originserver
> name=cgams login=PASS
> cache_peer_access cgams deny A_gi
Watch the wrap on that (it is two lines).
> cache_peer_access cgams allow sites_cgams
>
> cache_peer 192.168.1.21 parent 80 0 no-query no-digest originserver
> forceddomain=dom name=gi
> cache_peer_access gi allow A_gi
Watch the wrap on that (it is two lines).
This says that *any* domain A B C D E G H and *F* which starts the URL
with /cgams may go to this peer.
I think you want to replace that above "allow A_gi" line with:
cache_peer_access gi allow sites_cgams A_gi
> cache_peer_access gi deny all
>
> http_access allow sites_cgams
> miss_access allow sites_cgams
>
> ## Sites OWA
> cache_peer 192.168.13.44 parent 80 0 no-query no-digest originserver
> name=xxx80
(mind the wrap again. above is one line, below is a second.)
> cache_peer 192.168.13.44 parent 443 0 no-query no-digest
> originserver connection-auth=on login=PASS front-end-https=on name=xxx
>
> acl OWA dstdomain F
> cache_peer_access xxx allow OWA
> cache_peer_access xxx80 allow OWA
What you have here is that *either* port 80 or port 443 may be used to
pass traffic to OWA. The port 80 is preferred (listed first), with 443
as a failover backup if that goes down or gets flooded.
What I think you want is this:
acl HTTPS proto HTTPS
cache_peer_access xxx allow OWA HTTPS
cache_peer_access xxx80 allow OWA !HTTPS
That will keep the received port 80 and port 443 traffic going to the
matching OWA ports.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5Received on Fri Mar 25 2011 - 09:45:02 MDT
This archive was generated by hypermail 2.2.0 : Fri Mar 25 2011 - 12:00:03 MDT