Re: [squid-users] Forcing Header in Reverse Proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 17 Jan 2012 14:30:57 +1300

On 17.01.2012 11:21, Roman Gelfand wrote:
> fair enough.
>
> How would you, then, implement the following...
>
> I would like to forward https://xyz.mydomain.com/server1 to
> http://server1.mydomain.com and https://xyz.mydomain.com/server2 to
> http://server2.mydomain.com. Please, keep in mind, the target
> server
> is apache and it has servername tag which depends on header.

The "/server1" and "/server2" bits will get complex to strip and re-add
properly.

At first glance you probably want something like this in Apache:

server 1 config:
  <VirtualHost xyz.domain.com:80>
     ...

     RewriteEngine On
     RewriteBase /server1
     Alias /server1 /some/file/path
  </VirtualHost>

server 2 config:
  <VirtualHost xyz.domain.com:443>
     ...

     RewriteEngine On
     RewriteBase /server2
     Alias /server2 /some/file/path
  </VirtualHost>

HOWEVER, I notice the http:// and https:// difference. A small
alteration to the Squid config should work with a simpler Apache setup:

   squid.conf:
   http_port 80 accel vhost ...
   https_port 443 accel vhost ...

   acl site dstdomain xyz.mydomain.com

   cache_peer server1.mydomain.com 80 0 originserver name=httpServer
   acl HTTP proto HTTP
   cache_peer_access httpServer HTTP site
   cache_peer_access httpServer deny all

   cache_peer server2.mydomain.com 80 0 originserver name=secureServer
   acl HTTPS proto HTTPS
   cache_peer_access secureServer HTTPS site
   cache_peer_access secureServer deny all

server 1 config:
  <VirtualHost xyz.domain.com:80>
     DocumentRoot /http/file/path
  </VirtualHost>

server 2 config:
  <VirtualHost xyz.domain.com:443>
     DocumentRoot /secure/file/path
  </VirtualHost>

The https:// traffic should be exiting Squid with Host header of
"xyz.domain.com:443" anyway for the VirtualHost to pick up on, since the
receiving https_port 443 is not the default port for http:// which it is
being converted to on outgoing to Apache.

You could also add "ssl sslflags=DONT_VERIFY_PEER" on secureServer to
use self-signed certificates which keep the traffic secure between the
Apache and Squid without triggering any errors or other problems. It
also has the nice side effect of ensuring Apache is aware of the port
and security differences in the traffic.

Amos
Received on Tue Jan 17 2012 - 01:31:02 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 17 2012 - 12:00:03 MST