[squid-users] Question about reverse proxy with one public ip and more backend servers with SSL

From: Javier Sansaloni Talens <javier.sansaloni_at_burriana.es>
Date: Wed, 16 Nov 2011 10:13:05 +0100

Good morning,
My name is Javi and I live in Spain.
First of all, thank you for reading my questions. I have tried to found
the answer here and in google but I don't have found anything.

I have a question about reverse proxy with one public ip and more
back-end servers with SSL, I have attached an illustrative picture with
my web server structure.

I have 2 Apache servers, one of these with virtual hosts. I don't have
a problem with http conections. Now in https connections I can work
with only ssl certificate installed in squid and the other 2 servers but
this is the same certificate . But in https connections I would like to
have one certificate in one server. (In the picture Certificate1 and
Certificate2) Is it possible?

I attach my configuration file too.

My configuration file (I have the certificate files currently installed
in /etc/squid/certificados)

*******************************************************************************************************************************************************************************************
http_port 80 accel defaultsite=www.burriana.es vhost
https_port 443 accel cert=/etc/squid/certificados/server.crt
key=/etc/squid/certificados/server.key defaultsite=www.burriana.es vhost
protocol=https
forwarded_for on

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

cache_peer 192.168.20.13 parent 80 0 no-query no-digest originserver
name=etcote login=PASS
acl sites_etcote dstdomain www.adi.burriana.es adi.burriana.es
www.sme.burriana.es sme.burriana.es
acl our_sites dstdomain www.adi.burriana.es adi.burriana.es
www.sme.burriana.es sme.burriana.es
cache_peer_access etcote allow sites_etcote

cache_peer 192.168.20.13 parent 443 0 no-query originserver ssl
sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=etcote_ssl
acl site_etcote_ssl dstdomain www.adi.burriana.es adi.burriana.es
www.sme.burriana.es sme.burriana.es
cache_peer_access etcote_ssl allow site_etcote_ssl
acl https proto https

cache_peer 192.168.20.6 parent 80 0 no-query no-digest originserver
name=burriana login=PASS
acl sites_burriana dstdomain www.burriana.es burriana.es
acl our_sites2 dstdomain www.burriana.es burriana.es
cache_peer_access burriana allow sites_burriana

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow our_sites2
http_access allow our_sites
#http_access allow our_sites_ssl
http_access allow https

http_access allow manager all
http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

access_log /var/log/squid/access.log
cache_mgr someone_at_somewhere.com

******************************************************************************************************************************************************************************************

Thank you for your attention,

Regards,

-- 
*Javier Sansaloni Talens*

squid.png
Received on Wed Nov 16 2011 - 09:13:15 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 16 2011 - 12:00:03 MST