Amos Jeffries <squid3_at_treenet.co.nz> writes:
> On Tue, 08 Dec 2009 15:31:07 +0100 (CET), Ludovit Koren
> <ludovit_koren_at_tempest.sk> wrote:
>> Amos Jeffries <squid3_at_treenet.co.nz> writes:
>>
>>> On Mon, 07 Dec 2009 17:59:22 +0100, Ludovit Koren
>>> <Ludovit_Koren_at_tempest.sk> wrote:
>>>> Hi,
>>>>
>>>> I have Debian Linux and Squid Version 2.7.STABLE3. As I understand
>>>> from the documentation, there was some change in the version and I did
>>>> not find relevant information on the net.
>>>
>>> NP: Please use the latest Squid version available, 2.7.STABLE7 is
>>> available in backports if you need to.
>>>
>>>>
>>>> I have the following scenario:
>>>>
>>>> client - https - squid - https - server1
>>>> client - https - squid - http - server2
>>>>
>>>
>>> Use this for reference:
>>> http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting
>>>
>>>>
>>>> This is what I added to the squid.conf
>>>>
>>>> http_port 80 accel defaultsite=dflt1.domain.sk vhost
>>>
>>> This configures:
>>>
>>> Client - HTTP -> Squid.
>>>
>>> Which I note is missing from your specs. If your specs were right then
>>> drop this and only use the https_port directive below.
>>>
>>
>> yes, it is right. I am using it as reverse proxy for both HTTP and HTTPS
>>
>>>
>>>> https_port 443 cert=/etc/squid/ssl.crt key=/etc/squid/ssl.key
>>>> defaultsite=dflt1.domain.sk vhost
>>>>
>>>> acl webmail dstdomain webmail.domain.sk
>>>>
>>>> cache_peer dflt1.domain.sk parent 80 0 no-query originserver
>>>
>>> Missing: name=dflt1
>>>
>>>
>>
>> when I copied it, it has lost, I have the parameter there, sorry
>>
>>>> cache_peer dflt1.domain.sk parent 443 0 no-query ssl
>>>> sslflags=DONT_VERIFY_PEER front-end-https
>>>> name=dflt1
>>>
>>>> cache_peer webmail.domain.sk parent 80 0 no-query originserver
>>> name=dflt2
>>>>
>>>>
>>>> cache_peer_access dflt2 allow webmail
>>>
>>> Missing:
>>> cache_peer_access dflt2 deny all
>>>
>>> cache_peer_access dflt1 allow !webmail
>>>
>>
>> I have added your suggested lines
>>
>>> Also missing:
>>> * list of domains to be passed to dflt1
>>> * http_access lines to permit valid domain traffic to enter Squid.
>>>
>>>>
>>>> According to log the redirection is either all the time http or https
>>>> (if i add protocol=http to the configuration above):
>>>>
>>>> 1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET
>>>> https://webmail.domain.sk/ - DIRECT/
>>>> X.X.X.X text/html
>>>>
>>>>
>>>>
>>>> How can I configure squid as https reverse proxy and one page redirect
>>> to
>>>> the https backend server and the second page redirect to the http
>>>> backend server?
>>>
>>> What you had configured above is a reverse proxy which accepts both
> HTTP
>>> and HTTPS connections. Then passes all requests to dflt1.domain.sk:80.
>>>
>>> If dflt1.domain.sk:80 became available or overloaded the
>>> webmail.domain.sk
>>> traffic would be pushed to dflt1.domain.sk:443 and the non-webmail.*
>>> traffic would be dropped with an error.
>>
>> As I posted above, the traffic is pushed to correct host
>> (webmail.domain.sk), but to the https and I need it to push to
>> http. Everything else is working as I expect...
>>
>>
>> Regards,
>>
>> lk
>
> Sorry I overlooked that you had two dflt1.* links; name= MUST be unique
> for each cache_peer line.
>
> So...
>
> cache_peer dflt1.domain.sk parent 80 0 no-query originserver
> name=dflt1-80
> cache_peer dflt1.domain.sk parent 443 0 no-query ssl
> sslflags=DONT_VERIFY_PEER front-end-https name=dflt1-443
>
> acl HTTP proto HTTP
> cache_peer_access dflt1-80 allow HTTP !webmail
> cache_peer_access dflt1-80 deny all
>
> acl HTTPS proto HTTPS
> cache_peer_access dflt1-443 allow HTTPS !webmail
> cache_peer_access dflt1-443 deny all
>
I must miss something. I have edited and added everything you wrote
and still I get above line:
1260203474.257 116 Y.Y.Y.Y TCP_MISS/502 1439 GET https://webmail.domain.sk/ - DIRECT/X.X.X.X text/html
and not http://webmail.domain.sk/
lk
Received on Wed Dec 09 2009 - 12:43:03 MST
This archive was generated by hypermail 2.2.0 : Thu Dec 10 2009 - 12:00:01 MST