RE: [squid-users] Did request come via SSL?

From: Jeff Tharp <jtharp@dont-contact.us>
Date: Tue, 22 May 2007 11:23:58 -0700

Here's how I tackled this issue...I set up two virtual hosts in Apache,
then did the following in my Squid.conf:

acl httpreq port 80
acl httpsreq port 443

cache_peer 127.0.0.1 parent 8100 0 no-query originserver login=PASS
name=nonsecure
cache_peer 127.0.0.1 parent 8101 0 no-query originserver login=PASS
name=secure

cache_peer_access nonsecure allow httpreq
cache_peer_access nonsecure deny httpsreq
cache_peer_access secure allow httpsreq
cache_peer_access secure deny httpreq

http_port 80 vhost
https_port X.X.X.X:443 cert=/etc/squid/ssl/castest.crt
key=/etc/squid/ssl/castest.key defaultsite=castest.esri.com

etc...
(where X.X.X.X is the real IP used on the box for this particular SSL
site)

Apache config bits:
Listen 8100
Listen 8101
NameVirtualHost *:8100
NameVirtualHost *:8101

In this case, Apache runs on the same box as Squid, but on port 8100
(non-secure virtual host) and 8101 (secure virtual host). I then have
Apache also configured as a reverse proxy and use name-based virtual
hosts on both ports. In this manner, I have several sites hosted
through one set of reverse proxies and each site can have a different
config for SSL versus non-SSL portions of the site.

As to why we use both Squid and Apache for our reverse proxy, I prefer
using Squid for caching, but I use Apache for doing any mod_proxy or
mod_rewrite mojo and to filter requests through ModSecurity.

Jeff Tharp
System Administrator
ESRI, Redlands, CA
http://www.esri.com

> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
> Sent: Monday, May 21, 2007 3:30 PM
> To: Grant McLean
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Did request come via SSL?
>
> tis 2007-05-22 klockan 10:02 +1200 skrev Grant McLean:
> > Hi All
> >
> > I'm setting up Squid for the first time, in accelerator
> mode in front of
> > an Apache/mod_perl app. Squid is listening on both port 80
> (HTTP) and
> > port 443 (HTTPS). The basics (including SSL cert stuff)
> are working but
> > I've hit a bit of a road block.
> >
> > Is there any way to tell that a particular request came in
> on the SSL
> > port?
>
> Yes.
>
> To have this forwarded to the backend server see the front-end-https
> cache_peer option.
>
> To detect this within Squid see the myport acl, or alternatively the
> proto acl (but see below).
>
> > It would be even better if I could achieve the redirect
> magic using a
> > squid redirector script, but once again, there doesn't seem to be
> > sufficient information passed to the redirector for it to
> know if the
> > request came over a secure channel.
>
> Well, for browsers you have the protocol. https vs http.
>
> But technically an http client could send a fully qualified
> https:// URI
> without using SSL if they insist on it so it's not a 100% indication
> that the request was received encrypted on an https_port.
>
> > Strangely, when I was playing around with this on Friday, I
> could have
> > sworn that the redirector script was receiving URLs that
> started with
> > 'https', but I can't reproduce that today so I must have
> imagined it :-)
>
> It does.. at least unless
>
> a) You tell your https_port to use http as the protocol identified.
>
> or
>
> b) If you are using Squid-2.5 and not the currently supported 2.6
> version. The https_port support in Squid-2.5 isn't very friendly..
>
> Regards
> Henri
>
Received on Tue May 22 2007 - 12:24:17 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT