Re: [squid-users] Question about reverse proxy with one public ip and more backend servers with SSL

On 16/11/2011 10:13 p.m., Javier Sansaloni Talens wrote:
> Good morning,
> My name is Javi and I live in Spain.
> First of all, thank you for reading my questions. I have tried to
> found the answer here and in google but I don't have found anything.
>
> I have a question about reverse proxy with one public ip and more
> back-end servers with SSL, I have attached an illustrative picture
> with my web server structure.
>
> I have 2 Apache servers, one of these with virtual hosts. I don't
> have a problem with http conections. Now in https connections I can
> work with only ssl certificate installed in squid and the other 2
> servers but this is the same certificate . But in https connections I
> would like to have one certificate in one server. (In the picture
> Certificate1 and Certificate2) Is it possible?

You have configured "sslflags=DONT_VERIFY_PEER". Squid is ignoring the
certificates beyond the minimum required to encrypt packets.

>
> I attach my configuration file too.
>
> My configuration file (I have the certificate files currently
> installed in /etc/squid/certificados)
>
> *******************************************************************************************************************************************************************************************
>
> http_port 80 accel defaultsite=www.burriana.es vhost
> https_port 443 accel cert=/etc/squid/certificados/server.crt
> key=/etc/squid/certificados/server.key defaultsite=www.burriana.es
> vhost protocol=https
> forwarded_for on
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> cache_peer 192.168.20.13 parent 80 0 no-query no-digest originserver
> name=etcote login=PASS
> acl sites_etcote dstdomain www.adi.burriana.es adi.burriana.es
> www.sme.burriana.es sme.burriana.es
> acl our_sites dstdomain www.adi.burriana.es adi.burriana.es
> www.sme.burriana.es sme.burriana.es
> cache_peer_access etcote allow sites_etcote
>
> cache_peer 192.168.20.13 parent 443 0 no-query originserver ssl
> sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=etcote_ssl
> acl site_etcote_ssl dstdomain www.adi.burriana.es adi.burriana.es
> www.sme.burriana.es sme.burriana.es

"sites_etcote" and "our_sites" and "site_etcote_ssl" are identical.
Remove "our_sites" and "site_etcote_ssl".

> cache_peer_access etcote_ssl allow site_etcote_ssl
> acl https proto https

I suggest using:
   acl https proto https
   cache_peer_access etcote allow sites_etcote !https
   cache_peer_access etcote_ssl allow site_etcote https

>
> cache_peer 192.168.20.6 parent 80 0 no-query no-digest originserver
> name=burriana login=PASS
> acl sites_burriana dstdomain www.burriana.es burriana.es
> acl our_sites2 dstdomain www.burriana.es burriana.es
> cache_peer_access burriana allow sites_burriana

"sites_burriana" and "our_sites2" are identical. Remove our_sites2.

>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8

Replace with:
   acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow our_sites2
> http_access allow our_sites
> #http_access allow our_sites_ssl
> http_access allow https

Replace the above 4 lines with:
   http_access allow site_etcote
   http_access allow sites_burriana

> http_access allow manager all
> http_access allow manager

   "all" is useless on the manager line. Remove the whole line
"http_access allow manager all ".

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all

A set of deny lines ending in "deny all" is useless work for Squid.
Remove "deny !Safe_ports" and "deny CONNECT !SSL_ports".

Amos
Received on Wed Nov 16 2011 - 09:57:32 MST