Re: [squid-users] SSL rev proxy, redirector, 302 problems

From: Jesse Reynolds <lizst@dont-contact.us>
Date: Fri, 5 Dec 2003 13:51:05 +1100

At 3:01 +0100 5/12/03, Henrik Nordstrom wrote:
>On Fri, 5 Dec 2003, Jesse Reynolds wrote:
>
>> Why do redirectors worsen the situation?
>
>Depends on what the redirector does. Provided it only adds options to the
>URL and does not modify the URL there is no problem.
>
>But if the redirector modifies the host compontent of the URL or the
>URL-path then there is even less information to the web server/application
>on what the original URL was in the browser and a bigger risk for
>mismatches.

We change the hostname and port of the URL in the redirector. We have
to do this because we have different backend web servers for
different paths (eg www.host.com/app1 is redirected to
internalhost.host.com:8080/app1 )

Isn't this the purpose of a rediretor when squid is in accelerator mode?

>
>> We are on 2.5 so can't use Front-End-Https: unfortuntaly, but that
>> sounds more elegant that what we're doing. We have gone ahead and
>> are tacking a SSL=1 param on the end of the URLs if they were
>> accessed with HTTPS, this is working well for us, if a bit ugly.
>
>Another option which you might be able to try is to rewrite the URLs into
>https:// and configure the web server as a parent proxy (but remember to
>disable server-side persistent connections). This will make Squid send the
>full URL to the server including protocol, not only the URL-path + query.

Ah, interesting. Can you do this in combination with a redirector to
separate different path to host relationships? ... Wouldn't the web
server try and encrypt the response if it gets a https? Or does it
decide whether to encrypt or not based other headers?

Jesse

-- 
   ::: Jesse Reynolds +61 (0)414 669 790 ::: AIM - jessedreynolds :::
   ::: Virtual Artists Pty Ltd, Adelaide ::: http://www.va.com.au :::
Received on Thu Dec 04 2003 - 19:51:21 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:05 MST