Re: [squid-users] reverse proxy

From: Ludovit Koren <ludovit_koren_at_tempest.sk>
Date: Tue, 08 Dec 2009 15:31:07 +0100 (CET)

Amos Jeffries <squid3_at_treenet.co.nz> writes:

> On Mon, 07 Dec 2009 17:59:22 +0100, Ludovit Koren
> <Ludovit_Koren_at_tempest.sk> wrote:
>> Hi,
>>
>> I have Debian Linux and Squid Version 2.7.STABLE3. As I understand
>> from the documentation, there was some change in the version and I did
>> not find relevant information on the net.
>
> NP: Please use the latest Squid version available, 2.7.STABLE7 is
> available in backports if you need to.
>
>>
>> I have the following scenario:
>>
>> client - https - squid - https - server1
>> client - https - squid - http - server2
>>
>
> Use this for reference:
> http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting
>
>>
>> This is what I added to the squid.conf
>>
>> http_port 80 accel defaultsite=dflt1.domain.sk vhost
>
> This configures:
>
> Client - HTTP -> Squid.
>
> Which I note is missing from your specs. If your specs were right then
> drop this and only use the https_port directive below.
>

yes, it is right. I am using it as reverse proxy for both HTTP and HTTPS

>
>> https_port 443 cert=/etc/squid/ssl.crt key=/etc/squid/ssl.key
>> defaultsite=dflt1.domain.sk vhost
>>
>> acl webmail dstdomain webmail.domain.sk
>>
>> cache_peer dflt1.domain.sk parent 80 0 no-query originserver
>
> Missing: name=dflt1
>
>

when I copied it, it has lost, I have the parameter there, sorry

>> cache_peer dflt1.domain.sk parent 443 0 no-query ssl
>> sslflags=DONT_VERIFY_PEER front-end-https
>> name=dflt1
>
>> cache_peer webmail.domain.sk parent 80 0 no-query originserver
> name=dflt2
>>
>>
>> cache_peer_access dflt2 allow webmail
>
> Missing:
> cache_peer_access dflt2 deny all
>
> cache_peer_access dflt1 allow !webmail
>

I have added your suggested lines

> Also missing:
> * list of domains to be passed to dflt1
> * http_access lines to permit valid domain traffic to enter Squid.
>
>>
>> According to log the redirection is either all the time http or https
>> (if i add protocol=http to the configuration above):
>>
>> 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET
>> https://webmail.domain.sk/ - DIRECT/
>> X.X.X.X text/html
>>
>>
>>
>> How can I configure squid as https reverse proxy and one page redirect
> to
>> the https backend server and the second page redirect to the http
>> backend server?
>
> What you had configured above is a reverse proxy which accepts both HTTP
> and HTTPS connections. Then passes all requests to dflt1.domain.sk:80.
>
> If dflt1.domain.sk:80 became available or overloaded the webmail.domain.sk
> traffic would be pushed to dflt1.domain.sk:443 and the non-webmail.*
> traffic would be dropped with an error.

As I posted above, the traffic is pushed to correct host
(webmail.domain.sk), but to the https and I need it to push to
http. Everything else is working as I expect...

Regards,

lk
Received on Tue Dec 08 2009 - 14:31:24 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 09 2009 - 12:00:01 MST