Re: [squid-users] Squid 2.6 and https_port

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 05 Dec 2013 23:34:35 +1300

On 5/12/2013 10:58 p.m., Gianluigi Ruggeri wrote:
> thanks for the reply..
>
> ok, I changed:
>
> 1) I configurated my iptables in this way:
>
>
> # Generated by iptables-save v1.4.7 on Wed Nov 9 13:37:50 2011
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [10363:2864591]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth+ -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -p icmp -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i eth+ -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Wed Nov 9 13:37:50 2011
> # Generated by iptables-save v1.4.7 on Wed Nov 9 13:37:50 2011
> *nat
> :PREROUTING ACCEPT [4:650]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3125
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> COMMIT
>
>
>
> 2) I configurated in squid.conf http_port
>
> http_port 3128 accel
>
> and I added the line:
>
> cache_peer 192.168.2.37 parent 80 0
>
> Now, If I call :
> - mysite.com -----> It's ok
> - mysite.com/test ---> It's ok but I see in browser url bar :
> mysite.com:3128/test Why??

Because you used NAT to get the port 80 traffic to Squid and it passes
the information that your site is served on port 3128 to Apache, that
somehow leaks out to the browser as well.

 It is better just to use "http_port 80 accel" and not have the NAT
iptables NAT rules.
 Same for port 443 on the https_port.

>
> 3) I configurated in squid.con https_port
>
> https_port 3125 accel cert=/etc/squid/ssl/certificate.pem
> key=/etc/squid/ssl/private.pem
>
> I use Squid 2.6 stable 21 (on CentOS 5) and to enable SLL I have to
> use this command: squid –enable-ssl (Is correct??) Otherwise I not see

No. You need to have a squid *built* with the ./configure --enable-ssl
option.

> the port 3125 in the result of the command:
>
> sudo netstat -anp | grep squid
>
>
> Is necessary to add also cache_peer line about 443 port? How can I add
> an other cache_peer with the same ipAddress?

cache_peer has a name= option to create two peers with same IP or
hostname but different names.
 I'm not sure if that is available in 2.6. You may need to upgrade to a
newer version (http://wiki.squid-cache.org/KnowledgeBase/CentOS).
 AFAIK these packages have SSL enabled already, so the upgrade will
solve many problems for you at once.

Amos
Received on Thu Dec 05 2013 - 10:34:45 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 05 2013 - 12:00:04 MST