Re: [squid-users] SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 17 Sep 2010 23:17:53 +1200

On 17/09/10 19:32, Nikolaos Pavlidis wrote:
> Hello Amos, all,
>
> Thank you for your response. As far as understanding what you mean I do
> (thats something at least) but I fail to see how this will be syntaxed

Answers inline.

>
> My config is as follows please advise(this is not working of course):
>
> # NETWORK OPTIONS
> #
> -----------------------------------------------------------------------------
> http_port 80 accel defaultsite=www.domain.com vhost
> https_port 443 cert=/etc/squid/uob/sid_domain.crt
> key=/etc/squid/uob/sid_domain.key cafile=/etc/squid/uob/sid_domain.ca
> defaultsite=sid.domain.com vhost
>
> https_port 443 cert=/etc/squid/uob/helpdesk_domain.crt
> key=/etc/squid/uob/helpdesk_domain.key
> cafile=/etc/squid/uob/helpdesk_domain.ca defaultsite=helpdesk.domain.com
> vhost

The pubic-facing IP address is needed to open multiple same-numbered ports.

(wrapped for easy reading)

https_port 10.0.0.1:443 accel vhost defaultsite=sid.domain.com
    cert=/etc/squid/uob/sid_domain.crt
    key=/etc/squid/uob/sid_domain.key
    cafile=/etc/squid/uob/sid_domain.ca

https_port 10.0.0.2:443 accel vhost defaultsite=helpdesk.domain.com
    cert=/etc/squid/uob/helpdesk_domain.crt
    key=/etc/squid/uob/helpdesk_domain.key
    cafile=/etc/squid/uob/helpdesk_domain.ca

> visible_hostname *MailScanner has detected a possible fraud attempt from
> "www.beds.ac.uk" claiming to be* www. <http://www.beds.ac.uk>domain.
> <http://www.beds.ac.uk>com
> unique_hostname cache1.domain.com
> offline_mode off
> icp_port 3130
> request_body_max_size 32 MB
>
> # OPTIONS WHICH AFFECT THE CACHE SIZE
> #
> -----------------------------------------------------------------------------
> cache_mem 4096 MB
> maximum_object_size 8 MB
> maximum_object_size_in_memory 256 KB
>
> # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> #
> -----------------------------------------------------------------------------
> cache_dir aufs /var/cache/squid 61440 16 256
> emulate_httpd_log on
> logfile_rotate 100
> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid/access.log combined

Just for my interest how does forcing apache "common" format with
emulate_httpd_log mix with explicitly forcing a locally defined
"combined" format?
  Which one do you expect to be used in the log?

> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log

Only if you need it. Otherwise:
  cache_store_log none

> debug_options ALL,1,33,3,20,3

(space needed between each section,level option pair.)
debug_options ALL,1 33,3 20,3

>
> # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> #
> -----------------------------------------------------------------------------
> auth_param basic children 10
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> # OPTIONS FOR TUNING THE CACHE
> #
> -----------------------------------------------------------------------------
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i \.css 1440 50% 2880 override-expire
> refresh_pattern -i \.swf 1440 50% 2880 ignore-reload override-expire

Missing:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern . 1440 50% 4320 override-expire
>
> # ACCESS CONTROLS
> #
> -----------------------------------------------------------------------------
>
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
> upgrade_http0.9 deny shoutcast
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>
> # reverce-proxy configuration
> #
> -----------------------------------------------------------------------------
>
> cache_peer 194.80.213.28 sibling 80 3130 proxy-only no-digest
> no-netdb-exchange

(this is where the deny from itself comes in handy to block looping)

cache_peer_access 194.80.213.28 deny from_cache2
cache_peer_access 194.80.213.28 allow all

>
> cache_peer 10.1.62.230 parent 80 0 no-query originserver no-digest
> name=lhdl_cst_srv login=PASS
> acl sites_lhdl_cst dstdomain lhdl.cst.domain.com
> http_access allow sites_lhdl_cst
> cache_peer_access lhdl_cst_srv allow sites_lhdl_cst
> cache_peer_access lhdl_cst_srv deny from_cache2

missing "deny all" there.

>
>
> cache_peer 212.219.119.48 parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER no-digest name=beweb_srv_ssl login=PASS
> acl sites_beweb_ssl dstdomain sid.domain.com
> http_access allow sites_beweb_ssl
> cache_peer_access beweb_srv_ssl allow sites_beweb_ssl
> cache_peer_access beweb_srv_ssl deny from_cache2
> cache_peer_access beweb_srv_ssl deny all

Either:
   cache_peer_access beweb_srv_ssl allow sites_beweb_ssl
   cache_peer_access beweb_srv_ssl deny all

OR
   cache_peer_access beweb_srv_ssl deny from_cache2
   cache_peer_access beweb_srv_ssl allow sites_beweb_ssl
   cache_peer_access beweb_srv_ssl deny all

...makes sense.

The first set is a shorter/faster version of what your current settings do.

The second set is what they look like they were intended to be (blocking
from sibling to that parent via here).

Same concept for the peer below.

>
> cache_peer 10.1.108.15 parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER no-digest name=helpdesk_srv_ssl login=PASS
> acl sites_helpdesk_ssl dstdomain helpdesk.domain.com
> http_access allow sites_helpdesk_ssl
> cache_peer_access helpdesk_srv_ssl allow sites_helpdesk_ssl
> cache_peer_access helpdesk_srv_ssl deny from_cache2
> cache_peer_access helpdesk_srv_ssl deny all
>
> # forward-proxy security restrictions
> #
> -----------------------------------------------------------------------------
<snip>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.8
   Beta testers wanted for 3.2.0.2
Received on Fri Sep 17 2010 - 11:18:00 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 17 2010 - 12:00:03 MDT