On 11/06/2012 9:53 p.m., David Benach wrote:
> Hello all.
>
> We have a squid 3.0.STABLE15 used as reverse proxy on a SUSE SLES 11
> SP0. This squid serves the Internet access to some of our portals. The
> communication with the webservers is in HTTP and, for one of the
> domains, the squid serves an SSL certificate bought to a known CA
>
> By the moment, all works fine and we have not problems about operation.
>
> Now, we need to enable HTTPS communication from another domain but
> without using (and buying) another SSL certificate because we want to
> change this URL in the browser by the one who works in HTTPS correctly.
>
> The URL redirection is going well, but a ssl_error_bad_cert_domain
> appears in the web browser because the SSL certificate had been read
> before.
> Is it possible to do the redirection before the SSL certificate has
> been readed? We have been searching for a solution with no positive
> result. Can you help us?
No. The connection setup has a specific order:
* TCP handshake
* TLS certificate exchange
- (connection is now ready for use)
* HTTP request
* HTTP response (redirect)
...
You cannot place the redirect before the HTTP request, and that request
required the TLS to be completed first.
>
> This is an extract of the actual configuration (the redirection works
> but the cert error appears on the client):
>
> http_port 80 vhost defaultsite=www.domain1.com
> https_port 443 vhost defaultsite=www.domain1.com
> key=/etc/ssl/certs/unencrypt_vsdomain1.key
> cert=/etc/ssl/certs/vsdomain1.cert
> capath=/etc/ssl/certs/intermediateCA.cert
All domains servied by Squid on port 443 are sharing this one certificate.
You can make the certificate a wildcard certificate covering mutiple
sub-domians. Or open several specific IP:port for Squid to listen on
with different certificates. One domain resolving to each of thise
IP:port's.
Amos
Received on Mon Jun 11 2012 - 10:39:57 MDT
This archive was generated by hypermail 2.2.0 : Mon Jun 11 2012 - 12:00:03 MDT