Re: [squid-users] Re: https bypass squid cache in reverse proxy mode

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 01 May 2011 16:09:36 +1200

On 01/05/11 15:41, Gary K wrote:
> Hi Amos,
>
> Thank you for your reply!
> Any method when received http go to squid cache, when received https
> redirect to web server directly?
>

Multiple concepts clash in your statement...
  "squid cache" -> storage component of Squid
  "redirect" -> HTTP 301, 302, 303 or 307 message
  "web server direct" -> use global DNS to locate web service

The config I gave you earlier prevents Squid proxy using Squid cache
component to service the HTTPS requests.

Reverse proxy HTTPS can redirect to web server HTTP with:
   acl HTTPS proto HTTPS
   deny_info http://example.com/ HTTPS
   http_access deny HTTPS

Making Squid reverse proxy go direct to web servers instead of using
cache_peer is unsafe. Normal reverse proxy configuration has cache_peer
entires to pass the requests to web servers without using global DNS.

Reading between the lines I suspect you mean passing HTTP traffic to
Squid and HTTPS not to Squid?

  Reverse proxy has gobal DNS pointing a whole domain at Squid IP. You can:
  (at DNS level) configure with a different domain
    (ie http://www.example.com/ and https://ssl.example.com/)
OR
  (at packet level) forward/route port 443 from Squid box to the web
server box instead of configuring squid https_port.
OR
  (at service level) have Squid listening on port 80 and web server on
port 443 on the Squid box.

Any of this helpful?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Sun May 01 2011 - 04:09:42 MDT

This archive was generated by hypermail 2.2.0 : Sun May 01 2011 - 12:00:05 MDT