Re: [squid-users] reverse proxy from Amos Jeffries on 2009-12-07 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 08 Dec 2009 11:29:31 +1300

On Mon, 07 Dec 2009 17:59:22 +0100, Ludovit Koren
<Ludovit_Koren_at_tempest.sk> wrote:
> Hi,
>
> I have Debian Linux and Squid Version 2.7.STABLE3. As I understand
> from the documentation, there was some change in the version and I did
> not find relevant information on the net.

NP: Please use the latest Squid version available, 2.7.STABLE7 is
available in backports if you need to.

>
> I have the following scenario:
>
> client - https - squid - https - server1
> client - https - squid - http - server2
>

Use this for reference:
http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting

>
> This is what I added to the squid.conf
>
> http_port 80 accel defaultsite=dflt1.domain.sk vhost

This configures:

Client - HTTP -> Squid.

Which I note is missing from your specs. If your specs were right then
drop this and only use the https_port directive below.

> https_port 443 cert=/etc/squid/ssl.crt key=/etc/squid/ssl.key
> defaultsite=dflt1.domain.sk vhost
>
> acl webmail dstdomain webmail.domain.sk
>
> cache_peer dflt1.domain.sk parent 80 0 no-query originserver

Missing: name=dflt1

> cache_peer dflt1.domain.sk parent 443 0 no-query ssl
> sslflags=DONT_VERIFY_PEER front-end-https
> name=dflt1

> cache_peer webmail.domain.sk parent 80 0 no-query originserver
name=dflt2
>
>
> cache_peer_access dflt2 allow webmail

Missing:
cache_peer_access dflt2 deny all

cache_peer_access dflt1 allow !webmail

Also missing:
* list of domains to be passed to dflt1
* http_access lines to permit valid domain traffic to enter Squid.

>
> According to log the redirection is either all the time http or https
> (if i add protocol=http to the configuration above):
>
> 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET
> https://webmail.domain.sk/ - DIRECT/
> X.X.X.X text/html
>
>
>
> How can I configure squid as https reverse proxy and one page redirect
to
> the https backend server and the second page redirect to the http
> backend server?

What you had configured above is a reverse proxy which accepts both HTTP
and HTTPS connections. Then passes all requests to dflt1.domain.sk:80.

If dflt1.domain.sk:80 became available or overloaded the webmail.domain.sk
traffic would be pushed to dflt1.domain.sk:443 and the non-webmail.*
traffic would be dropped with an error.

Amos
Received on Mon Dec 07 2009 - 22:36:27 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 08 2009 - 12:00:02 MST