Re: [squid-users] Reverse proxy HTTPS redirection before SSL cert has been readed from David Benach on 2012-06-11 (squid-users)

From: David Benach <dbenach_at_inventiva.es>
Date: Mon, 11 Jun 2012 13:44:23 +0200

OK Amos.

Thanks for your fast response.

David Benach.

A 11.06.2012 12:39, Amos Jeffries escrigué:

> On 11/06/2012 9:53 p.m., David Benach wrote:
>
>> Hello all. We have a squid 3.0.STABLE15 used as reverse proxy on a
> SUSE
>> SLES 11 SP0. This squid serves the Internet access to some of our
>> portals. The communication with the webservers is in HTTP and, for
>> one
>> of the domains, the squid serves an SSL certificate bought to a
>> known
>> CA By the moment, all works fine and we have not problems about
>> operation. Now, we need to enable HTTPS communication from another
>> domain but without using (and buying) another SSL certificate
>> because
>> we want to change this URL in the browser by the one who works in
> HTTPS
>> correctly. The URL redirection is going well, but a
>> ssl_error_bad_cert_domain appears in the web browser because the SSL
>> certificate had been read before. Is it possible to do the
>> redirection
>> before the SSL certificate has been readed? We have been searching
>> for
>> a solution with no positive result. Can you help us?
>
> No. The connection setup has a specific order:
> * TCP handshake
> * TLS certificate exchange
> - (connection is now ready for use)
> * HTTP request
> * HTTP response (redirect)
> ...
>
> You cannot place the redirect before the HTTP request, and that
> request
> required the TLS to be completed first.
>
>> This is an extract of the actual configuration (the redirection
>> works
>> but the cert error appears on the client): http_port 80 vhost
>> defaultsite=www.domain1.com [1] https_port 443 vhost
>> defaultsite=www.domain1.com [2]
>> key=/etc/ssl/certs/unencrypt_vsdomain1.key
>> cert=/etc/ssl/certs/vsdomain1.cert
>> capath=/etc/ssl/certs/intermediateCA.cert
>
> All domains servied by Squid on port 443 are sharing this one
> certificate.
>
> You can make the certificate a wildcard certificate covering mutiple
> sub-domians. Or open several specific IP:port for Squid to listen on
> with different certificates. One domain resolving to each of thise
> IP:port's.
>
> Amos

Links:
------
[1] http://www.domain1.com
[2] http://www.domain1.com
Received on Mon Jun 11 2012 - 11:44:30 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 11 2012 - 12:00:03 MDT