RE: [squid-users] SSL and Reverse Proxy from Brad Taylor on 2004-08-24 (squid-users)

From: Brad Taylor <btaylor@dont-contact.us>
Date: Tue, 24 Aug 2004 18:24:38 -0400

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Tuesday, August 24, 2004 5:52 PM
To: Brad Taylor
Cc: Henrik Nordstrom; Chris Perreault; squid-users@squid-cache.org
Subject: RE: [squid-users] SSL and Reverse Proxy

On Tue, 24 Aug 2004, Brad Taylor wrote:

> I updated my Squid install with the SSL update.
> I'm still having trouble getting this to work. Here is what I have.
>
> http_port 80
> httpd_accel_host 192.168.60.100 (SSL web server)

This should be the public domain name.

-- I'm using it for testing. Will it work OK for testing?

> httpd_accel_port 80 the web site at the page will redirect the SSL to
> port 443

This should most likely be 443, or virtual.

-- If it is changed to 0 (virtual) I get:

While trying to retrieve the URL: http://192.168.60.100:0/
The following error was encountered:
Invalid URL

> httpd_accel_single host on
> httpd_accel_with_proxy on

a bit dangerous, but ok.

-- will "httpd_accel_with_proxy off" still use reverse cache? I only
want squid to cache the accelerated web site.

> httpd_accel_uses_host_header off

ok.

> https_port 433 cert=/path/cert.pem

ok.

> sslproxy_client_certifacate /path/cert.pem

why this? Does your web server require a the use of a client certificate

to access the server?

-- Yes, client has to use https.

> http_access allow all

very dangerous.

-- Only doing this for testing, I'll tighten it up when everything is
working.

> Even though I use the IP address of squid I'm sent to the origin
server
> (192.168.60.100)

Most likely you web server redirects the user back to 192.168.60.100.

-- Why? Everything looks to be setup correctly, right? I've seen
cach_peer talked about with SSL. Is that only for multiple Squid boxes?

"log_mime_hdrs on", and study access logs of both Squid and you web
servers.

1093381355.430 21 192.168.60.154 TCP_MISS/302 492 GET
http://192.168.60.100/ - DIRECT/192.168.60.100 text/html
1093381374.291 263 192.168.60.154 TCP_MISS/302 425 GET
http://192.168.60.100/ - DIRECT/192.168.60.100 text/html
1093381384.850 7 192.168.60.154 TCP_MISS/302 492 GET
http://192.168.60.100/ - DIRECT/192.168.60.100 text/html
1093381406.227 11 192.168.60.154 TCP_MISS/302 425 GET
http://192.168.60.100/ - DIRECT/192.168.60.100 text/html
1093381423.622 444 192.168.60.154 TCP_MISS/302 425 GET
http://192.168.60.100/ - DIRECT/192.168.60.100 text/html

Regards
Henrik
Received on Tue Aug 24 2004 - 16:24:41 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT