Re: [squid-users] ssl redirections

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 16 Jun 2005 17:47:23 +0200 (CEST)

On Thu, 16 Jun 2005, Laurikainen, Tuukka wrote:

> I apologize if this has been asked before (I assume so), but I havenīt been able to find any good explanations from the archives.
>
> http_port squid-ip:80
> https_port squid-ip:443 cert=path/to/cert key=path/to/key
> https_port other-squid-ip:443 cert=path/to/cert key=path/to/key
> httpd_accel_host virtual
> httpd_accel_port 0
>
> In jesred rules I have these two rules for testing:
>
> regexi ^https://squid-ip/tst/(.*) https://server-ip:443/\1 ^https://squid-ip/tst
>
> regexi ^http://squid-ip/tst/(.*) http://server-ip/\1 ^http://squid-ip/tst

Please note that the reconstructed URL in squid-2.5 is still http:// even
if the request was acceped on an https_port. But thanks to
httpd_accel_port 0 you should be able to identify the requests in the
redirector.

> With this configuration if a client tries to access https://squid-ip/tst/index.html, squid answers with Read Error (104) Connection reset by peer.
>
>> From the cache.log I get this:
>
> 2005/06/16 09:42:03| clientNegotiateSSL: Error negotiating SSL connection on FD 20: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request (1/-1)

See your access.log...

> If I understand right, squid is receiving an http request, while waiting for an https, or did I get it totally wrong?

You are correct.

Likely cause:

a) You do not have access controls limiting what may be accessed via your
reverse proxy (open proxy).

b) The URL issue mentioned above, causing your redirector rules to not
match the requested URL.

Regards
Henrik
Received on Thu Jun 16 2005 - 09:47:25 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT