Google
  Web www.spinics.net

Re: Re: https bypass squid cache in reverse proxy mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
On Sun, 1 May 2011 23:22:26 +0800, Gary K wrote:

Hi Amos,

Thank you for your response.

The following is is my configuration:

http_port 80 accel defaultsite=www.abc.com
cache_peer 202.x.x.x parent 80 0 no-query originserver name=myAccel
acl our_sites dstdomain www.abc.com
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all


So all traffic arriving on port 80 will be sent to 202.x.x.x.



acl HTTPS proto HTTPS
deny_info http://www.efg.com/ HTTPS
http_access deny HTTPS

cache_peer 75.x.x.x parent 80 0 no-query originserver name=myserver1
acl sites_myserver1 dstdomain www.efg.com
None of these will be used with the mentioned http_port settings. Reverse-proxy will only get traffic on its port 80 (HTTP). The main 202.* peer is likely up, so the backup 75.* will not be used (no access rules to say when 75.* applies therefore its available as a backup). 



I change my host file in window and connect to http://www.efg.com is
no problem and can see the log in /var/log/squid3/access.log.

But when i click  one of the icon in this site is involved https, no
response and I can see any a hit in the log.
port 443 on whichever IP you configured in hosts file is not working. The config you just showed indicates Squid is not involved. The lack of log traces in squid confirms that. 



I know i can use https_port 443 to add the cert in squid. But I want
to config this squid server to serve different customers as a cache
server and their dns porint to this server. What I want to do is:

1.  Cache the http service for different site ( now is OK)
2.  if this site involve https service, let the traffice redirect to
the original web server ( no solution now).
3. if https_port can support multiple cert for different sites. cache 
the https sites. (no solution now).

Hope you can help.

Regards,
Gary



2011/5/1 Amos Jeffries:

On 01/05/11 15:41, Gary K wrote:


Hi Amos,

Thank you for your reply!
Any method when received http go to squid cache, when received https 
redirect to web server directly?



Multiple concepts clash in your statement...
Â"squid cache" -> storage component of Squid
Â"redirect" -> HTTP 301, 302, 303 or 307 message
Â"web server direct" -> use global DNS to locate web service


The config I gave you earlier prevents Squid proxy using Squid cache
component to service the HTTPS requests.


Reverse proxy HTTPS can redirect to web server HTTP with:
Âacl HTTPS proto HTTPS
Âdeny_info http://example.com/ HTTPS
Âhttp_access deny HTTPS


Making Squid reverse proxy go direct to web servers instead of using
cache_peer is unsafe. Normal reverse proxy configuration has cache_peer entires to pass the requests to web servers without using global DNS.
Reading between the lines I suspect you mean passing HTTP traffic to Squid 
and HTTPS not to Squid?
ÂReverse proxy has gobal DNS pointing a whole domain at Squid IP. You can: 
Â(at DNS level) configure with a different domain
 (ie http://www.example.com/ and https://ssl.example.com/)
OR
Â(at packet level) forward/route port 443 from Squid box to the web server 
box instead of configuring squid https_port.
OR
Â(at service level) have Squid listening on port 80 and web server on port 
443 on the Squid box.


Any of this helpful?

[Linux Audio Users]     [Photo]     [Yosemite News]     [Samba]     [Video Projectors]     [Video Devices]     [Big List of Linux Books]     [LCD TVs]     [Webcams]     [Linux USB]

  Powered by Linux