Re: [squid-users] Squid 2.6 and https_port

thanks for the reply..

ok, I changed:

1) I configurated my iptables in this way:

# Generated by iptables-save v1.4.7 on Wed Nov 9 13:37:50 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10363:2864591]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Nov 9 13:37:50 2011
# Generated by iptables-save v1.4.7 on Wed Nov 9 13:37:50 2011
*nat
:PREROUTING ACCEPT [4:650]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3125
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT

2) I configurated in squid.conf http_port

http_port 3128 accel

and I added the line:

cache_peer 192.168.2.37 parent 80 0

Now, If I call :
- mysite.com -----> It's ok
- mysite.com/test ---> It's ok but I see in browser url bar :
mysite.com:3128/test Why??

3) I configurated in squid.con https_port

https_port 3125 accel cert=/etc/squid/ssl/certificate.pem
key=/etc/squid/ssl/private.pem

I use Squid 2.6 stable 21 (on CentOS 5) and to enable SLL I have to
use this command: squid –enable-ssl (Is correct??) Otherwise I not see
the port 3125 in the result of the command:

sudo netstat -anp | grep squid

Is necessary to add also cache_peer line about 443 port? How can I add
an other cache_peer with the same ipAddress?

Please help me!! ;(
Thanks

2013/12/5 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 4/12/2013 9:19 p.m., Gianluigi Ruggeri wrote:
>> Hi,
>>
>> thanks for your reply.
>> I'm confused...I use squid as a web cache in front of my Apache web
>> server and I want that the user does not notice the presence of this
>> (the user connects to myHost.com and will not know if there will be
>> Squid). I understood that this configuration is transparent-proxy.
>>
>
> No. That network design is reverse-proxy.
>
> Whether the users can notice it or not does not matter. It is the
> official public portal to your website.
>
>
>> It is correct for my purpose? What is it exactly forward proxy or
>> reverse-proxy? Are these typologies simil to my necessary
>> configuration?
>
> Forward-proxy is a proxy run by ISP. Caching the users access to lots of
> different websites to speed up their.
>
> Reverse-proxy is a proxy run as CDN sitting in front of a web server.
> For caching and reducing the load on the web server such that it can
> service many more visitors at once.
>
> Does that help carify?
>
>
>
> To change your config to reverse-proxy:
>
> 1) use the "accel" option on yoru https_port and https_port lines
> instead of "transparent".
>
> 2) configure cache_peer lines in squid.conf pointing at the Apache.
>
> 3) point your website DNS records at the proxy IP instead of the Apache IP.
>
> NP: you can either use the same cert on apache and Squid, or a
> self-signed certificate on Apache. So long as Squid trusts the CA used
> to sign the Apache cert it does not matter.
> Your sites official public cert should be used on the Squid https_port
> either way.
>
> There are some example configurations at
> http://wiki.squid-cache.org/ConfigExamples/#Reverse_Proxy_.28Acceleration.29
>
>
> Amos
Received on Thu Dec 05 2013 - 09:58:40 MST