[squid-users] Reverse Proxy for multiple SSL sites on same server

From: Dean Weimer <dweimer_at_orscheln.com>
Date: Fri, 14 Jan 2011 14:29:50 -0600

I am struggling with a setup where I am adding a parent web server behind my reverse proxy that has multiple ssl sites running under the same name but on different ports. The site on the default port 443 works, but I can't get it to forward to the parent on the second site running on port 444. The server is already running several ssl sites on 443 using a UCC SSL cert with subject alternative names

Here are the relevant parts of the setup:

https_port 10.50.20.10:443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=www.mydomain.com vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
https_port 10.50.20.10:444 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=secure.mydomain.com:444 vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

acl ssl_secure proto HTTPS
acl securesite444 url_regex -i ^https://secure.mydomain.com:444/
acl securesite url_regex -i ^https://secure.mydomain.com/
acl parentserver dst 10.20.10.62/32

http_access deny securesite444 !ssl_secure
http_access allow securesite444 ssl_secure
http_access deny securesite !ssl_secure
http_access allow securesite ssl_secure
http_access allow parentserver ssl_secure
http_access deny ssl_secure

cache_peer 10.20.10.62 parent 444 0 ssl no-query originserver name=parent444 sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER
cache_peer_domain parent444 secure.mydomain.com
cache_peer_access parent444 allow securesite444 ssl_secure

cache_peer 10.20.10.62 parent 443 0 ssl no-query originserver name=parent sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER
cache_peer_domain parent secure.mydomain.com
cache_peer_access parent allow securesite ssl_secure

The logs show both the SSL listening ports were started, and both parents configured, however when accessing https://secure.mydomain.com:444/ it reports that it was unable to select source.

2011/01/14 13:49:51| Accepting HTTPS connections at 10.50.20.10:443, FD 71.
2011/01/14 13:49:51| Accepting HTTPS connections at 10.50.20.10:444, FD 72.
2011/01/14 13:49:51| Configuring Parent 10.20.10.62/443/0
2011/01/14 13:49:51| Configuring Parent 10.20.10.62/444/0
2011/01/14 13:49:51| Ready to serve requests.
-----BEGIN SSL SESSION PARAMETERS-----
MIGMAgEBAgIDAQQCAC8EIBe26zUEsTBKHRt+Bvw3c9j5XNAArlUDi0Zq6qSncolM
BDCuSmhFVdKHBuflZ2nY/N1UPGY8syDnGlUyDEIQdwFdMveOyawuMJmqeVePI2NI
eKOhBgIETTCo5aIEAgIBLKQCBACmGQQXb3JzY2hlbG5oci5vcnNjaGVsbi5jb20=
-----END SSL SESSION PARAMETERS-----
2011/01/14 13:49:57| Failed to select source for 'https://secure.mydomain.com:444/'
2011/01/14 13:49:57| always_direct = 0
2011/01/14 13:49:57| never_direct = 0
2011/01/14 13:49:57| timedout = 0

Does anyone have any idea what I am missing in the parent configuration or access rule list that is not allowing the reverse proxy to find and use the parent server?

Thanks,
     Dean Weimer
Received on Fri Jan 14 2011 - 20:30:02 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 15 2011 - 12:00:03 MST