Re: [squid-users] Re: https bypass squid cache in reverse proxy mode

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 02 May 2011 12:36:10 +1200

 On Sun, 1 May 2011 23:22:26 +0800, Gary K wrote:
> Hi Amos,
>
> Thank you for your response.
>
> The following is is my configuration:
>
> http_port 80 accel defaultsite=www.abc.com
> cache_peer 202.x.x.x parent 80 0 no-query originserver name=myAccel
> acl our_sites dstdomain www.abc.com
> cache_peer_access myAccel allow our_sites
> cache_peer_access myAccel deny all

 So all traffic arriving on port 80 will be sent to 202.x.x.x.

>
> acl HTTPS proto HTTPS
> deny_info http://www.efg.com/ HTTPS
> http_access deny HTTPS
>
> cache_peer 75.x.x.x parent 80 0 no-query originserver name=myserver1
> acl sites_myserver1 dstdomain www.efg.com

 None of these will be used with the mentioned http_port settings.
 Reverse-proxy will only get traffic on its port 80 (HTTP).
 The main 202.* peer is likely up, so the backup 75.* will not be used
 (no access rules to say when 75.* applies therefore its available as a
 backup).

>
> I change my host file in window and connect to http://www.efg.com is
> no problem and can see the log in /var/log/squid3/access.log.
>
> But when i click one of the icon in this site is involved https, no
> response and I can see any a hit in the log.

 port 443 on whichever IP you configured in hosts file is not working.
 The config you just showed indicates Squid is not involved. The lack of
 log traces in squid confirms that.

>
> I know i can use https_port 443 to add the cert in squid. But I want
> to config this squid server to serve different customers as a cache
> server and their dns porint to this server. What I want to do is:
>
> 1. Cache the http service for different site ( now is OK)
> 2. if this site involve https service, let the traffice redirect to
> the original web server ( no solution now).
> 3. if https_port can support multiple cert for different sites.
> cache
> the https sites. (no solution now).
>
> Hope you can help.
>
> Regards,
> Gary
>
>
>
> 2011/5/1 Amos Jeffries:
>> On 01/05/11 15:41, Gary K wrote:
>>>
>>> Hi Amos,
>>>
>>> Thank you for your reply!
>>> Any method when received http go to squid cache, when received
>>> https
>>> redirect to web server directly?
>>>
>>
>> Multiple concepts clash in your statement...
>>  "squid cache" -> storage component of Squid
>>  "redirect" -> HTTP 301, 302, 303 or 307 message
>>  "web server direct" -> use global DNS to locate web service
>>
>>
>> The config I gave you earlier prevents Squid proxy using Squid cache
>> component to service the HTTPS requests.
>>
>>
>> Reverse proxy HTTPS can redirect to web server HTTP with:
>>  acl HTTPS proto HTTPS
>>  deny_info http://example.com/ HTTPS
>>  http_access deny HTTPS
>>
>>
>> Making Squid reverse proxy go direct to web servers instead of using
>> cache_peer is unsafe. Normal reverse proxy configuration has
>> cache_peer
>> entires to pass the requests to web servers without using global
>> DNS.
>>
>>
>>
>> Reading between the lines I suspect you mean passing HTTP traffic to
>> Squid
>> and HTTPS not to Squid?
>>
>>  Reverse proxy has gobal DNS pointing a whole domain at Squid IP.
>> You can:
>>  (at DNS level) configure with a different domain
>>   (ie http://www.example.com/ and https://ssl.example.com/)
>> OR
>>  (at packet level) forward/route port 443 from Squid box to the web
>> server
>> box instead of configuring squid https_port.
>> OR
>>  (at service level) have Squid listening on port 80 and web server
>> on port
>> 443 on the Squid box.
>>
>>
>> Any of this helpful?
Received on Mon May 02 2011 - 00:36:13 MDT

This archive was generated by hypermail 2.2.0 : Mon May 02 2011 - 12:00:02 MDT