Re: [squid-users] reverse proxy config from Amos Jeffries on 2012-02-18 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 18 Feb 2012 20:29:21 +1300

On 18/02/2012 3:09 a.m., Erich Titl wrote:
> Hi Folks
>
> I am trying to det up a reverse proxy for a numbner of systems, but
> appear to fail to define the cache peer correctly.
>
> The reverse proxy settings
>
> ####################################################################################
> # squid reverse proxy settings for ssl acceleration
> # content shamelessly adapted from
> #
> http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
> # Copyleft 2012 erich.titl_at_think.ch
> ####################################################################################
>
> https_port 443 cert=/etc/squid3/gever.crt key=/etc/squid3/gever.key
> accel protocol=http

Why set protocol http:// ??

You are missing vhost (locate and use HTTP/1.1 Host: header. 3.1 and
older Squid have it absent for HTTP/1.0 compliance) and/or defaultsite
(domain to use as URL domain if none can be located).

>
> # peer pfaeffikon
> cache_peer pfaeffikon.gever.asp.ruf.ch parent 8083 0 no-query
> originserver name=pfaeffikon-ssl
> cache_peer_domain pfaeffikon-ssl m278.asp.ruf.ch
>
> acl sites_server_104 dstdomain m278.asp.ruf.ch
> cache_peer_access pfaeffikon-ssl allow sites_server_104

Note: cache_peer_access and cache_peer_domain are alternative metods of
deciding whether to service the request there. You can drop one of them.

> http_access allow sites_server_104
> ####################################################################################
>
> Here is an excerpt of the cache.log file
>
> 2012/02/17 14:47:07 kid1| Accepting HTTP Socket connections at
> local=[::]:8080 remote=[::] FD 15 flags=9
> 2012/02/17 14:47:07 kid1| Accepting reverse-proxy HTTPS Socket
> connections at local=[::]:443 remote=[::] FD 16 flags=9
> 2012/02/17 14:47:07 kid1| Configuring Parent
> pfaeffikon.gever.asp.ruf.ch/8083/0
> 2012/02/17 14:47:07 kid1| Configuring Parent
>
> To me it looks like the cache peer is not accessed correcly.

Maybe. That config says the peer will only service
http://m278.asp.ruf.ch:443/* URLs. And does so without encryption on the
squid<->peer link.

>
> The goal is to terminate https requests on the proxy and forwarding the
> requests for pfaeffikon.gever.asp.ruf.ch to a peer called
> m278.asp.ruf.ch on port 8083
>
> I see the requests arriving at the squid host, but it appears that it
> does not use the host specified in the peer parameters but uses the name
> of the original request host.

Yes. Exactly so. The client is asking for
https://pfaeffikon.gever.asp.ruf.ch/. Squid will attempt to service that
request.

You have told Squid to only accept requests for the domain m278.asp.ruf.ch.

Amos
Received on Sat Feb 18 2012 - 07:29:31 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 19 2012 - 12:00:04 MST