Re: [squid-users] reverse proxy / virtual hosting

From: Dan DeLong <ddelong@dont-contact.us>
Date: Wed, 23 Jun 2004 08:29:42 -0400

Thank you all for your suggestions, unfortunately the SSL certs I use are
for domain names and websites owned by separate companies so I don't believe
sharing a cert is going to solve my problem. There were a lot of good
suggestions posted so thank you very much for the help.

Dan
----- Original Message -----
From: "Sunil S" <sunils@hpcl.co.in>
To: <fliot@kyriba.com>; <Chris.Perreault@Wiremold.com>
Cc: <squid-users@squid-cache.org>
Sent: Tuesday, June 22, 2004 6:01 PM
Subject: RE: [squid-users] reverse proxy / virtual hosting

> I had run several backend servers (wth different hostnames under the
> same domain) to do :
> (client)https -> RP(squid 2.5) -> http(servers)
> some time back. And ofcourse ran into the technical non-possibility of
> running all domain names on same IP/port with separate certificates.
>
> Work around used then was, using a single wild-card certificate for
> domain and use it for all sites/sub-domains ..... if it is acceptable
> for you to use shared certificates. Wild card certificates should not
> trigger errors at client side.
>
> Sunil
>
>
> >>> Francois Liot <fliot@kyriba.com> 06/22/04 06:51PM >>>
> I will try to be a bit clearer.
>
> Here is the picture :
> --TCP-------------SSL----------------------Encapsulated protocol
> (could be HTTP...)
>
> --IP:Port--Certificate used for handshake----decyphered protocol
>
> in case of HTTP, once decyphered you could indeed retrieve all HTTP
> headers variables (as HTTP_HOST...).
>
> The problem is the following
> You can map a single certificate (by IP:Port) to try to obtain an SSL
> handshake.
>
> Then having on a single IP:Port (let's say yourmachine:443) several
> HTTPS answser possible is SSL non compliant (in fact doing hugly job,
> you will do it, but using the same certificate for all your website -
> user will see an error https://mysite1 is encrypted by https://mysite2
>
> certificate...)
>
> Just like I told you, Apache is suffring the same limitation
> (impossible
> to have HTTPS virtual servers on a single IP/Port)
>
> Regards
>
> Francois Liot
>
> On Tue, 2004-06-22 at 15:02, Chris Perreault wrote:
> > -----Original Message-----
> > From: Dan DeLong [mailto:ddelong@custdata.com]
> > Sent: Tuesday, June 22, 2004 8:42 AM
> > To: squid-users@squid-cache.org
> > Subject: [squid-users] reverse proxy / virtual hosting
> >
> >
> > Hello,
> >
> > I currently have squid running as a reverse proxy. I have a number
> of squid
> > instances running to handle a number of different websites. Each
> squid
> > instance listens on it's own ip address and handles the SSL cert for
> the
> > incoming web request. My goal is to have squid listen on one address
> to
> > handle multiple websites in essence do virtual hosting. Can this be
> done
> > with squid ? If so, can you provide any direction on how to set
> squid up to
> > do this ?
> >
> > Thanks.
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~~~
> > ~~~~~~~~~~~~~~~~~~~~~~
> >
> > We are looking to set up the same environment here. Multiple back
> end
> > webservers being handled by a reverse proxy. Users would go to
> > www.ourcompany.com/extranet www.ourcompany.com/intranet
> > www.ourcompany.com/web2 etc, with a mapping created for each of
> those
> > various webservers. By default, www.ourcompany.com would send them to
> the
> > main webserver, a homegrown portal type web interface, with links to
> the
> > other webservers.
> >
> > On 2.5stable5 I accomplished this using squidguard as a redirector.
> The
> > problem we ran into was when we tried to add in ssl and ldap
> authentication,
> > so right now are messing with squid-3.0.pre3. Yesterday we made good
> > progress (ie: no other issues got in the way and I got to work on
> this:))
> > and got the ldap authentication and ssl working, with it connecting
> to one
> > back end webserver...having defined that in the cache_peer and acl
> conf
> > lines. I'm hoping to have time, over the next few days, to get
> squidguard
> > working with this configuration. I'm sure what you want to do can be
> done,
> > and am pretty sure people have done it before. Documentation seems to
> be
> > lacking on exactly what steps were taken to do so though. Once I get
> this
> > figured out I'll post the conf file and what steps were taken so it
> aids
> > others. I've spent a lot of time researching this, over the last
> month or
> > two, but having only spent 2 months with squid I am far from an
> expert on
> > this. I got my company to fork over some cash to an outside
> consultant and
> > I've been real happy with the one we went with, who was listed on
> the
> > squid-cache.org site as those offering paid assistance. (no idea what
> the
> > protocol here is on offering plugs for a job well done, so I won't
> mention
> > which company we went with)
> >
> > If you want to get to the point where you just proxy the traffic to
> multiple
> > back end webservers, squidguard will do the trick for you. If you are
> up to
> > the task, you can write your own redirector program too. The
> > redirector_program conf line is where you add info in for that.
>
>
Received on Wed Jun 23 2004 - 06:30:33 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jul 01 2004 - 12:00:03 MDT