Re: [squid-users] Question about reverse proxy with one public ip and more backend servers with SSL

From: Javier Sansaloni Talens <javier.sansaloni_at_burriana.es>
Date: Wed, 16 Nov 2011 11:43:22 +0100

Thank you for the advices and suggestions,

I have reviewed my squid.conf, and I attach in the next lines.

But I have the same question.

Is it possible to have in www.adi.burriana.es Certificate1 and
www.sme.burriana.es Certificate2 running with squid?

  If I enter directly with my apache server (with vhosts) in my browser,
If I write www.adi.burriana.es I have the Certificate1 and if I write
www.sme.burriana.es I have the Certificate2.

But If I use the currently configuration in squid, If I write
www.adi.burriana.es I have the certificate1 (server.crt) and If I write
www.sme.burriana.es I have the Certificate1, too, and I wouldn't want to
have the Certificate1, I'd want to have the Certificate2.

*****************************************************************************************************************************************************************************
http_port 80 accel defaultsite=www.burriana.es vhost
https_port 443 accel cert=/etc/squid/certificados/server.crt
key=/etc/squid/certificados/server.key defaultsite=www.burriana.es vhost
protocol=https
forwarded_for on

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

cache_peer 192.168.20.13 parent 80 0 no-query no-digest originserver
name=etcote login=PASS
acl sites_etcote dstdomain www.adi.burriana.es adi.burriana.es
www.sme.burriana.es sme.burriana.es
cache_peer_access etcote allow sites_etcote

cache_peer 192.168.20.13 parent 443 0 no-query originserver ssl
sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=etcote_ssl
cache_peer_access etcote_ssl allow sites_etcote
acl https proto https

cache_peer 192.168.20.6 parent 80 0 no-query no-digest originserver
name=burriana login=PASS
acl sites_burriana dstdomain www.burriana.es burriana.es
cache_peer_access burriana allow sites_burriana

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow sites_etcote
http_access allow sites_burriana

http_access allow manager
http_access deny all

access_log /var/log/squid/access.log
cache_mgr someone_at_somewhere.com
************************************************************************************************************************************************************

Thank you for the responses,
Regards,

El 16/11/2011 10:57, Amos Jeffries escribió:
> On 16/11/2011 10:13 p.m., Javier Sansaloni Talens wrote:
>> Good morning,
>> My name is Javi and I live in Spain.
>> First of all, thank you for reading my questions. I have tried to
>> found the answer here and in google but I don't have found anything.
>>
>> I have a question about reverse proxy with one public ip and more
>> back-end servers with SSL, I have attached an illustrative picture
>> with my web server structure.
>>
>> I have 2 Apache servers, one of these with virtual hosts. I don't
>> have a problem with http conections. Now in https connections I can
>> work with only ssl certificate installed in squid and the other 2
>> servers but this is the same certificate . But in https connections I
>> would like to have one certificate in one server. (In the picture
>> Certificate1 and Certificate2) Is it possible?
>
> You have configured "sslflags=DONT_VERIFY_PEER". Squid is ignoring
> the certificates beyond the minimum required to encrypt packets.
>
>>
>> I attach my configuration file too.
>>
>> My configuration file (I have the certificate files currently
>> installed in /etc/squid/certificados)
>>
>> *******************************************************************************************************************************************************************************************
>>
>> http_port 80 accel defaultsite=www.burriana.es vhost
>> https_port 443 accel cert=/etc/squid/certificados/server.crt
>> key=/etc/squid/certificados/server.key defaultsite=www.burriana.es
>> vhost protocol=https
>> forwarded_for on
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>>
>> cache_peer 192.168.20.13 parent 80 0 no-query no-digest originserver
>> name=etcote login=PASS
>> acl sites_etcote dstdomain www.adi.burriana.es adi.burriana.es
>> www.sme.burriana.es sme.burriana.es
>> acl our_sites dstdomain www.adi.burriana.es adi.burriana.es
>> www.sme.burriana.es sme.burriana.es
>> cache_peer_access etcote allow sites_etcote
>>
>> cache_peer 192.168.20.13 parent 443 0 no-query originserver ssl
>> sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on
>> name=etcote_ssl
>> acl site_etcote_ssl dstdomain www.adi.burriana.es adi.burriana.es
>> www.sme.burriana.es sme.burriana.es
>
> "sites_etcote" and "our_sites" and "site_etcote_ssl" are identical.
> Remove "our_sites" and "site_etcote_ssl".
>
>> cache_peer_access etcote_ssl allow site_etcote_ssl
>> acl https proto https
>
> I suggest using:
> acl https proto https
> cache_peer_access etcote allow sites_etcote !https
> cache_peer_access etcote_ssl allow site_etcote https
>
>
>>
>> cache_peer 192.168.20.6 parent 80 0 no-query no-digest originserver
>> name=burriana login=PASS
>> acl sites_burriana dstdomain www.burriana.es burriana.es
>> acl our_sites2 dstdomain www.burriana.es burriana.es
>> cache_peer_access burriana allow sites_burriana
>
> "sites_burriana" and "our_sites2" are identical. Remove our_sites2.
>
>>
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>
> Replace with:
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> http_access allow our_sites2
>> http_access allow our_sites
>> #http_access allow our_sites_ssl
>> http_access allow https
>
> Replace the above 4 lines with:
> http_access allow site_etcote
> http_access allow sites_burriana
>
>
>> http_access allow manager all
>> http_access allow manager
>
> "all" is useless on the manager line. Remove the whole line
> "http_access allow manager all ".
>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access deny all
>
> A set of deny lines ending in "deny all" is useless work for Squid.
> Remove "deny !Safe_ports" and "deny CONNECT !SSL_ports".
>
>
> Amos
>

-- 
*Javier Sansaloni Talens*
Received on Wed Nov 16 2011 - 10:43:33 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 18 2011 - 12:00:03 MST