On Tue, 08 Dec 2009 15:31:07 +0100 (CET), Ludovit Koren
<ludovit_koren_at_tempest.sk> wrote:
> Amos Jeffries <squid3_at_treenet.co.nz> writes:
>
>> On Mon, 07 Dec 2009 17:59:22 +0100, Ludovit Koren
>> <Ludovit_Koren_at_tempest.sk> wrote:
>>> Hi,
>>>
>>> I have Debian Linux and Squid Version 2.7.STABLE3. As I understand
>>> from the documentation, there was some change in the version and I did
>>> not find relevant information on the net.
>>
>> NP: Please use the latest Squid version available, 2.7.STABLE7 is
>> available in backports if you need to.
>>
>>>
>>> I have the following scenario:
>>>
>>> client - https - squid - https - server1
>>> client - https - squid - http - server2
>>>
>>
>> Use this for reference:
>> http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting
>>
>>>
>>> This is what I added to the squid.conf
>>>
>>> http_port 80 accel defaultsite=dflt1.domain.sk vhost
>>
>> This configures:
>>
>> Client - HTTP -> Squid.
>>
>> Which I note is missing from your specs. If your specs were right then
>> drop this and only use the https_port directive below.
>>
>
> yes, it is right. I am using it as reverse proxy for both HTTP and HTTPS
>
>>
>>> https_port 443 cert=/etc/squid/ssl.crt key=/etc/squid/ssl.key
>>> defaultsite=dflt1.domain.sk vhost
>>>
>>> acl webmail dstdomain webmail.domain.sk
>>>
>>> cache_peer dflt1.domain.sk parent 80 0 no-query originserver
>>
>> Missing: name=dflt1
>>
>>
>
> when I copied it, it has lost, I have the parameter there, sorry
>
>>> cache_peer dflt1.domain.sk parent 443 0 no-query ssl
>>> sslflags=DONT_VERIFY_PEER front-end-https
>>> name=dflt1
>>
>>> cache_peer webmail.domain.sk parent 80 0 no-query originserver
>> name=dflt2
>>>
>>>
>>> cache_peer_access dflt2 allow webmail
>>
>> Missing:
>> cache_peer_access dflt2 deny all
>>
>> cache_peer_access dflt1 allow !webmail
>>
>
> I have added your suggested lines
>
>> Also missing:
>> * list of domains to be passed to dflt1
>> * http_access lines to permit valid domain traffic to enter Squid.
>>
>>>
>>> According to log the redirection is either all the time http or https
>>> (if i add protocol=http to the configuration above):
>>>
>>> 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET
>>> https://webmail.domain.sk/ - DIRECT/
>>> X.X.X.X text/html
>>>
>>>
>>>
>>> How can I configure squid as https reverse proxy and one page redirect
>> to
>>> the https backend server and the second page redirect to the http
>>> backend server?
>>
>> What you had configured above is a reverse proxy which accepts both
HTTP
>> and HTTPS connections. Then passes all requests to dflt1.domain.sk:80.
>>
>> If dflt1.domain.sk:80 became available or overloaded the
>> webmail.domain.sk
>> traffic would be pushed to dflt1.domain.sk:443 and the non-webmail.*
>> traffic would be dropped with an error.
>
> As I posted above, the traffic is pushed to correct host
> (webmail.domain.sk), but to the https and I need it to push to
> http. Everything else is working as I expect...
>
>
> Regards,
>
> lk
Sorry I overlooked that you had two dflt1.* links; name= MUST be unique
for each cache_peer line.
So...
cache_peer dflt1.domain.sk parent 80 0 no-query originserver
name=dflt1-80
cache_peer dflt1.domain.sk parent 443 0 no-query ssl
sslflags=DONT_VERIFY_PEER front-end-https name=dflt1-443
acl HTTP proto HTTP
cache_peer_access dflt1-80 allow HTTP !webmail
cache_peer_access dflt1-80 deny all
acl HTTPS proto HTTPS
cache_peer_access dflt1-443 allow HTTPS !webmail
cache_peer_access dflt1-443 deny all
Amos
Received on Wed Dec 09 2009 - 01:01:09 MST
This archive was generated by hypermail 2.2.0 : Wed Dec 09 2009 - 12:00:01 MST