On 16/09/10 16:11, mikek wrote:
>
>
> Amos Jeffries-2 wrote:
>>
>> Close, there are some problems:
>>
>> https_port still needs accel and maybe vhost options to be a real
>> accelerator.
>>
>> always_direct prevents the cache_peer config ever being used.
>>
>> Is the public DNS that clients are connecting to xxxxx.appspot.com or
>> secure.xxxxx.com?
>>
>> You may need to add the forcedomain=xxxxx.appspot.com option to
>> cache_peer and remove the always_direct.
>>
>> Amos
>>
>
> Thanks very much Amos.
>
> The public clients are connecting to secure.xxxxx.com, and then squid is
> proxying the request to xxxxx.appspot.com.
>
> My understanding that to use vhost or accel with https_port, you needed a
> wildcard SSL cert, which I don't have. Is that right?
accel is just to turn on reverse-proxy mode so the partial URLs normally
only sent to web servers are accepted.
vhost is required for multiple domains, but can work just as well with a
single one being served. Just means Squid pulls the public domain name
the client is contacting from Host: header instead of making assumptions
from defaultsite=.
It helps the security checks if Squid can reject bogus requested
domains early.
>
> I'm not sure what you mean here: always_direct prevents the cache_peer
> config ever being used.
Before Squid starts figuring out where a MISS request is going to come
from it checks the always_direct list. If it matches then Squid skips
the cache_peer checks and goes straight to DNS to find out where the web
server is.
This is usually a bad idea in reverse-proxies, since the DNS will most
often be pointing at the proxy itself for the public visitors.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2Received on Thu Sep 16 2010 - 13:32:49 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 16 2010 - 12:00:03 MDT