Re: [squid-users] SSL Reverse Proxy to Support Multiple Web Site WITHOUT wildcard crt

From: Nikolaos Pavlidis <Nikolaos.Pavlidis_at_beds.ac.uk>
Date: Mon, 20 Sep 2010 13:02:32 +0100

Hello Amos, all,

Many thanks for taking a look at my config!

Comments inline (easier)

On Fri, 2010-09-17 at 23:17 +1200, Amos Jeffries wrote:
> On 17/09/10 19:32, Nikolaos Pavlidis wrote:
> > Hello Amos, all,
> >
> > Thank you for your response. As far as understanding what you mean I do
> > (thats something at least) but I fail to see how this will be syntaxed
>
> Answers inline.
>
> >
> > My config is as follows please advise(this is not working of course):
> >
> > # NETWORK OPTIONS
> > #
> > -----------------------------------------------------------------------------
> > http_port 80 accel defaultsite=www.domain.com vhost
> > https_port 443 cert=/etc/squid/uob/sid_domain.crt
> > key=/etc/squid/uob/sid_domain.key cafile=/etc/squid/uob/sid_domain.ca
> > defaultsite=sid.domain.com vhost
> >
> > https_port 443 cert=/etc/squid/uob/helpdesk_domain.crt
> > key=/etc/squid/uob/helpdesk_domain.key
> > cafile=/etc/squid/uob/helpdesk_domain.ca defaultsite=helpdesk.domain.com
> > vhost
>
> The pubic-facing IP address is needed to open multiple same-numbered ports.
>
> (wrapped for easy reading)
>
> https_port 10.0.0.1:443 accel vhost defaultsite=sid.domain.com
> cert=/etc/squid/uob/sid_domain.crt
> key=/etc/squid/uob/sid_domain.key
> cafile=/etc/squid/uob/sid_domain.ca
>
> https_port 10.0.0.2:443 accel vhost defaultsite=helpdesk.domain.com
> cert=/etc/squid/uob/helpdesk_domain.crt
> key=/etc/squid/uob/helpdesk_domain.key
> cafile=/etc/squid/uob/helpdesk_domain.ca
>
>
Unfortunately that did not work! If I define an IP address on the port
it just stops working for some reason! squid reloads with no errors but
access to the host times out.

> > visible_hostname *MailScanner has detected a possible fraud attempt from
> > "www.beds.ac.uk" claiming to be* www. <http://www.beds.ac.uk>domain.
> > <http://www.beds.ac.uk>com
> > unique_hostname cache1.domain.com
> > offline_mode off
> > icp_port 3130
> > request_body_max_size 32 MB
> >
> > # OPTIONS WHICH AFFECT THE CACHE SIZE
> > #
> > -----------------------------------------------------------------------------
> > cache_mem 4096 MB
> > maximum_object_size 8 MB
> > maximum_object_size_in_memory 256 KB
> >
> > # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> > #
> > -----------------------------------------------------------------------------
> > cache_dir aufs /var/cache/squid 61440 16 256
> > emulate_httpd_log on
> > logfile_rotate 100
> > logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
> > "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> > access_log /var/log/squid/access.log combined
>
> Just for my interest how does forcing apache "common" format with
> emulate_httpd_log mix with explicitly forcing a locally defined
> "combined" format?
> Which one do you expect to be used in the log?
>
Good spot! DOH! :)

> > cache_log /var/log/squid/cache.log
> > cache_store_log /var/log/squid/store.log
>
> Only if you need it. Otherwise:
> cache_store_log none
>
> > debug_options ALL,1,33,3,20,3
>
> (space needed between each section,level option pair.)
> debug_options ALL,1 33,3 20,3
>
Another good one!

> >
> > # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> > #
> > -----------------------------------------------------------------------------
> > auth_param basic children 10
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> >
> > # OPTIONS FOR TUNING THE CACHE
> > #
> > -----------------------------------------------------------------------------
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i \.css 1440 50% 2880 override-expire
> > refresh_pattern -i \.swf 1440 50% 2880 ignore-reload override-expire
>
> Missing:
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
That is actually not suggested for our CMS at the moment :/

<snip>
The rest were spot on as usual and I applied all of them in the running
configuration.

Any suggestions on how to proceed with the SSL?
Many thanks in advance.

Kind regards,

Nik

-- 
Nikolaos Pavlidis BSc (Hons) MBCS NCLP CEH CHFI
Systems Administrator
University Of Bedfordshire
Park Square LU1 3JU
Luton, Beds, UK
Tel: +441582489277 (Ext 2277)
Received on Mon Sep 20 2010 - 12:02:43 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 20 2010 - 12:00:03 MDT