[squid-users] Reverse proxy HTTPS redirection before SSL cert has been readed from David Benach on 2012-06-11 (squid-users)

From: David Benach <dbenach_at_inventiva.es>
Date: Mon, 11 Jun 2012 11:53:18 +0200

Hello all.

We have a squid 3.0.STABLE15 used as reverse proxy on a SUSE SLES 11
SP0. This squid serves the Internet access to some of our portals. The
communication with the webservers is in HTTP and, for one of the
domains, the squid serves an SSL certificate bought to a known CA

By the moment, all works fine and we have not problems about operation.

Now, we need to enable HTTPS communication from another domain but
without using (and buying) another SSL certificate because we want to
change this URL in the browser by the one who works in HTTPS correctly.

The URL redirection is going well, but a ssl_error_bad_cert_domain
appears in the web browser because the SSL certificate had been read
before.
Is it possible to do the redirection before the SSL certificate has
been readed? We have been searching for a solution with no positive
result. Can you help us?

This is an extract of the actual configuration (the redirection works
but the cert error appears on the client):

http_port 80 vhost defaultsite=www.domain1.com
https_port 443 vhost defaultsite=www.domain1.com
key=/etc/ssl/certs/unencrypt_vsdomain1.key
cert=/etc/ssl/certs/vsdomain1.cert
capath=/etc/ssl/certs/intermediateCA.cert

acl http proto http
acl https proto https
acl port80 port 80
acl port443 port 443

############## HTTP access
#####################################################################################
acl web dstdomain .www.domain1.com
acl web dstdomain .www.domain2.com
cache_peer web parent 9991 0 no-query originserver name=dweb
cache_peer_access dweb allow web

############## HTTPS communication for HTTP
#######################################################################
acl myport443 myport 443
acl webes dstdomain www.domain2.com
http_access deny myport443 webes
deny_info https://www.domain1.com webes

acl web443 dstdomain .www.domain1.com
cache_peer web443 parent 9991 0 no-query originserver name=dweb443
cache_peer_access dweb443 allow web443

############## Access lists
#######################################################################################
http_access allow http port80 web
http_access allow https port443 web443
http_access deny all

Thank you very much for your help and sorry for my bad english.

David Benach
Received on Mon Jun 11 2012 - 09:53:23 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 11 2012 - 12:00:03 MDT