Re: SSL handling with Squid 2

From: <rstagg@dont-contact.us>
Date: Thu, 17 Dec 1998 18:47:19 +0000

Sorry to bother you again.

I've tried implementing your ideas, which look eminently sane, and the
results were not good. I've simplified them to just get a single upstream
parent and the SSL host working:

  cache_peer parent-1 parent 8080 7 no-query no-digest
  cache_peer parent-ssl sslhost 8081 7 no-query no-digest

  acl all src 0.0.0.0/0.0.0.0
  acl CONNECT method CONNECT

  never_direct allow CONNECT

  cache_peer_acl parent-ssl CONNECT
  cache_peer_acl parent-ssl !all
  cache_peer_acl parent-1 !CONNECT

(I found I needed to add the never_direct line or it tried to connect
directly!) If I used "parenthost" rather than "parent" for the normal
parent then it gave me an ERR_CANNOT_FORWARD. Basically with the setup like
this, the ordinary browsing works perfectly through the normal parent, but
any CONNECTS are handed to "parent-1" as well, in complete contradiction to
the instructions in the acls. However, if I remove all mention of
"parent-1", then all requests are handed to "parent-ssl", and this at least
demonstrates that CONNECTS work if forwarded in the right direction.

I then made things even simpler, adopting the line taken in the FAQ:
     cache_peer_acl parent-1 !CONNECT

And left it at that. And it _still_ passed CONNECT requests to "parent-1".

I have been unable to make any sense of this. Have you got any further
suggestions or ideas?

Regards

Richard Stagg

jeffb@netc.com on 17/12/98 16:35:38

To: Richard Stagg/TMU/CSC
cc:
Subject: Re: SSL handling with Squid 2

Easy one.
cache_peer parent-1 parenthost 3128 3130 weight=99
cache_peer parent-2 backuphost 3128 3130 weight=1
cache_peer parent-ssl sslhost ...
acl all src 0.0.0.0/0.0.0.0
acl CONNECT method CONNECT
cache_peer_acl parent-ssl CONNECT
cache_peer_acl parent-ssl !all
cache_peer_acl parent-1 !CONNECT
cache_peer_acl parent-2 !CONNECT
(The weight options tell it to pretty much always use parent-1 unless
parent-1 is down)
On Thu, 17 Dec 1998 rstagg@csc.com wrote:
> Greetings,
>
> I know this one is in the FAQ. I've been over it a few times and I can't
> get it to work for me.
>
> My setup: there are several parents for my proxy. For conventional
browsing
> my proxy uses "parent-1", but needs to be able to be reconfigured quickly
> to use "parent-2" in the event of the first machine failing. This is
easily
> achieved by having two "cache_peer" lines, with the appropriate one
> commented out.
>
> There is a third parent which is always present - "parent-ssl". This
device
> _only_ handles SSL traffic.
>
> Under Squid-1, this was easy too - just a little SSL_proxy line in the
> config file.
>
> However, I cannot for the life of me figure out how to replicate this
setup
> in Squid-2 using ACLs. If I define two cache_peer lines, one for
"parent-1"
> and one for "parent-ssl" how do I stop the cache from sending nornal
> traffic to the SSL box? How do I force all SSL to that one device? And
does
> the fact that the non-SSL parent can change complicate things?
>
> Any examples or advice would be greatly appreciated.
>
> Richard Stagg
> CSC Computer Sciences
>
>
>
Received on Thu Dec 17 1998 - 12:03:09 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:40 MST