Bonjour,
I'm stuck with a reverse proxy config.
I have one http server with 5 sites (http) and 2 https, 1 OWA & RPC
server which also serves logos on port 80.
What I want to do :
(I'm bad at ASCII art, but i give it a try :)
WWW ---- iptables/DNAT --- SQUID --- http 1
--- http 2 ...
--- https 1 --- http (acl A_gi)
--- https 2
--- OWA
I wrote this config file, and http seem's OK, but i don't understand
the way https works. I follow the doc at :
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
but it give 1 certificate for 2 sites, and thus the certificat is not
valid when i access the sites.
In the graphic, https 1 has a page with a frame which contains a page
in an other server which is accessed with http (not s).
Thank you for any help.
=== squid.conf ===
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 172.25.53.0/24
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
include /etc/squid/squid.accel.conf
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_dir ufs /cache 100 16 256
cache_mem 100 MB
maximum_object_size_in_memory 10240 KB
=== end squid.conf ===
=== squid.accel.conf ===
## Sites http
http_port 80 accel defaultsite=A vhost
cache_peer 192.168.13.10 parent 80 0 no-query no-digest originserver
name=serveur1 login=PASS
acl sites_serveur1 dstdomain A B C D E
http_access allow sites_serveur1
cache_peer_access serveur1 allow sites_serveur1
cache_peer_access serveur1 deny all
http_access allow sites_serveur1
miss_access allow sites_serveur1
## Sites https
https_port 443 cert=/usr/local/newrprgate/CertAuth/testcert.cert \
key=/usr/local/newrprgate/CertAuth/testkey.pem defaultsite=G vhost
acl A_gi urlpath_regex ^/cgams
acl sites_cgams dstdomain G H
cache_peer 192.168.13.10 parent 443 0 no-query no-digest originserver
name=cgams login=PASS cache_peer_access cgams deny A_gi
cache_peer_access cgams allow sites_cgams
cache_peer 192.168.1.21 parent 80 0 no-query no-digest originserver
forceddomain=dom name=gi cache_peer_access gi allow A_gi
cache_peer_access gi deny all
http_access allow sites_cgams
miss_access allow sites_cgams
## Sites OWA
cache_peer 192.168.13.44 parent 80 0 no-query no-digest originserver
name=xxx80 cache_peer 192.168.13.44 parent 443 0 no-query no-digest
originserver connection-auth=on login=PASS front-end-https=on name=xxx
acl OWA dstdomain F
cache_peer_access xxx allow OWA
cache_peer_access xxx80 allow OWA
never_direct allow OWA
http_access allow OWA
miss_access allow OWA
=== squid.accel.conf ===
Received on Fri Mar 25 2011 - 09:11:28 MDT
This archive was generated by hypermail 2.2.0 : Fri Mar 25 2011 - 12:00:03 MDT