Re: [squid-users] Squid3: https virtual domain redirects

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 6 Sep 2003 01:06:06 +0200

On Friday 05 September 2003 20.45, Jim Flowers wrote:
> I am trying to set up a Squid3 accelerator to accept https://
> requests and to rewrite them to a virtual domain as http://
> requests. In order to do this I use:
>
> https_port 443 cert=/usr/local/etc/apache/ssl.crt/server.crt
> key=/usr/local/etc/apache/ssl.key/server.key accel
> defaultsite=my.virtualhost.com protocol=http.

Looks fine.

> This appears to rewrite everything to http://my.virtualhost.com on
> its own and does not ever get to the redirect_program instead
> showing up as an http:// request at my.virtualhost.com on port 443.

Why are you using a redirect program?

The requests should not get forwarded at all unless you for some
reason forces these direct, and if they are they should end up as
http://my.virtualhost.com/ (port 80).

There was some minor issues in how Squid-3 handled this some weeks ago
(sometimes getting the port number incorrect on accelerated requests)
but it should work fine now.

> Can Apache3 be configured as an accelerator rewriting https://
> requests to http:// name-based virtual domains? How do I get the
> request to the redirect_program?

This is a Squid list, not an Apache list.

If I understand you correctly you want Squid to accept https request
and forward them to a http server of your choice? If this is the case
then use something like this:

https_port 443 cert=... key=... accel defaultside=...
(don't use protocol=)

cache_peer your.http.server parent 80 0 no-query originserver

acl my dstdomain my.virtualhost.com
cache_peer_access your.http.server allow my

If the domain name requested by the browser is different compared to
the domain name expected by the http server then you have three
options:

a) Set the defaultsite= to the domain name expected by the web server
(not recommended.. this should be set to the externally visible
domain name)

b) Use a redirector to rewrite the URL while forwarded by Squid (this
will modify the cache_peer_access requirements accordingly).

c) Use the forcedomain= cache_peer option.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Fri Sep 05 2003 - 17:06:21 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:33 MST