Re: [squid-users] Squid 2.6 and https_port

Ok,
about the firts point...
I disabled NAT...

now I have my apache server that on :8008 port

and my Squid http_port is 80.

in my cache_peer 192.168.2.37 parent 8008 0

but when i try to call http://myhost.com/test1 I see the correct page
but in the browser url I see: http://myhost.com:8008/test1

is possibile to hide the 8008 port number?
Have I to add some options in my cache_peer?

2013/12/5 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 5/12/2013 10:58 p.m., Gianluigi Ruggeri wrote:
>> thanks for the reply..
>>
>> ok, I changed:
>>
>> 1) I configurated my iptables in this way:
>>
>>
>> # Generated by iptables-save v1.4.7 on Wed Nov 9 13:37:50 2011
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [10363:2864591]
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i eth+ -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -p icmp -j ACCEPT
>> -A FORWARD -i lo -j ACCEPT
>> -A FORWARD -i eth+ -j ACCEPT
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>> # Completed on Wed Nov 9 13:37:50 2011
>> # Generated by iptables-save v1.4.7 on Wed Nov 9 13:37:50 2011
>> *nat
>> :PREROUTING ACCEPT [4:650]
>> :POSTROUTING ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3125
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>> COMMIT
>>
>>
>>
>> 2) I configurated in squid.conf http_port
>>
>> http_port 3128 accel
>>
>> and I added the line:
>>
>> cache_peer 192.168.2.37 parent 80 0
>>
>> Now, If I call :
>> - mysite.com -----> It's ok
>> - mysite.com/test ---> It's ok but I see in browser url bar :
>> mysite.com:3128/test Why??
>
> Because you used NAT to get the port 80 traffic to Squid and it passes
> the information that your site is served on port 3128 to Apache, that
> somehow leaks out to the browser as well.
>
> It is better just to use "http_port 80 accel" and not have the NAT
> iptables NAT rules.
> Same for port 443 on the https_port.
>
>
>>
>> 3) I configurated in squid.con https_port
>>
>> https_port 3125 accel cert=/etc/squid/ssl/certificate.pem
>> key=/etc/squid/ssl/private.pem
>>
>> I use Squid 2.6 stable 21 (on CentOS 5) and to enable SLL I have to
>> use this command: squid –enable-ssl (Is correct??) Otherwise I not see
>
> No. You need to have a squid *built* with the ./configure --enable-ssl
> option.
>
>
>> the port 3125 in the result of the command:
>>
>> sudo netstat -anp | grep squid
>>
>>
>> Is necessary to add also cache_peer line about 443 port? How can I add
>> an other cache_peer with the same ipAddress?
>
> cache_peer has a name= option to create two peers with same IP or
> hostname but different names.
> I'm not sure if that is available in 2.6. You may need to upgrade to a
> newer version (http://wiki.squid-cache.org/KnowledgeBase/CentOS).
> AFAIK these packages have SSL enabled already, so the upgrade will
> solve many problems for you at once.
>
>
> Amos
Received on Thu Dec 05 2013 - 11:49:08 MST