Re: [squid-users] Reverse Proxy for multiple SSL sites on same server

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 15 Jan 2011 15:00:27 +1300

A few comments inline with your text...

On 15/01/11 09:29, Dean Weimer wrote:
> I am struggling with a setup where I am adding a parent web server behind my reverse proxy that has multiple ssl sites running under the same name but on different ports. The site on the default port 443 works, but I can't get it to forward to the parent on the second site running on port 444. The server is already running several ssl sites on 443 using a UCC SSL cert with subject alternative names
>
> Here are the relevant parts of the setup:
>
> https_port 10.50.20.10:443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=www.mydomain.com vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
> https_port 10.50.20.10:444 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=secure.mydomain.com:444 vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
>
> acl ssl_secure proto HTTPS
> acl securesite444 url_regex -i ^https://secure.mydomain.com:444/
> acl securesite url_regex -i ^https://secure.mydomain.com/

To do this I would add a name= option to http_port for 444 and an ACL
that tested for it on traffic.

Alternatively you may be able to use the port ACL. (*NOT* the myport one)

   acl securesite dstdomain secure.mydomain.com
   acl port444 port 444

or

   http_port 10.50.20.10:444 ... name=444
   acl port444 portname 444
   acl securesite dstdomain secure.mydomain.com

> acl parentserver dst 10.20.10.62/32
>
> http_access deny securesite444 !ssl_secure
> http_access allow securesite444 ssl_secure
> http_access deny securesite !ssl_secure
> http_access allow securesite ssl_secure
> http_access allow parentserver ssl_secure
> http_access deny ssl_secure

Bit faster config that will save you four slow regex matches:

   # if it is not HTTPS reject
   http_access deny !ssl_secure
   # if it is destined to the local domain or to the local server allow
   http_access allow securesite
   http_access allow parentserver
   http_access deny all

NP: this relies on all your traffic being HTTPS and that http_access
does not care about the port. In your stated config only the peer
selection cares about the port.

>
> cache_peer 10.20.10.62 parent 444 0 ssl no-query originserver name=parent444 sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER
> cache_peer_domain parent444 secure.mydomain.com
> cache_peer_access parent444 allow securesite444 ssl_secure
>
> cache_peer 10.20.10.62 parent 443 0 ssl no-query originserver name=parent sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER
> cache_peer_domain parent secure.mydomain.com
> cache_peer_access parent allow securesite ssl_secure
>

Use either cache_peer_domain OR cache_peer_access not both.

With the above suggestions these would become:

   cache_peer_access parent444 allow port444 securesite
   cache_peer_access parent444 deny all

   cache_peer_access parent allow !port444
   cache_peer_access parent deny all

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Sat Jan 15 2011 - 02:00:44 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 15 2011 - 12:00:03 MST