Login or Register to Ask a Question and Join Our Community


IP Networking

redirecting ssl requests with squid?

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums IP Networking redirecting ssl requests with squid?
# 1  
Old 02-25-2010
redirecting ssl requests with squid?
say i have an apache server configured for ssl/non ssl virtual hosts and a proxy configured as follows (see squid.conf)
the ssl on each name based virtual host is configured on its own port (only 7 of the domains need this the rest are just media and other insignificant bits of data but domains 1-7 contain forms that require specific personal information that may be technically illegal to transmit without encryption)

if any additional information is needed just let me know

domain1 is port 443
domain2 is port 444
domain3 is port 445
domain6 is port 447
...
domain7 is port 449
my current squid.conf (actual domain names removed for security purposes)
Code:
http_port 80 vhost

 
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


cache_peer 192.168.0.20 parent 80 0 no-query default no-digest originserver name=www1
cache_peer 192.168.0.20 parent 80 0 no-query default no-digest originserver name=www2
cache_peer 192.168.0.20 parent 80 0 no-query default no-digest originserver name=www3
cache_peer 192.168.0.20 parent 80 0 no-query default no-digest originserver name=www4
cache_peer 192.168.0.20 parent 80 0 no-query default no-digest originserver name=www5
cache_peer 192.168.0.20 parent 80 0 no-query default no-digest originserver name=www6
cache_peer 192.168.0.20 parent 80 0 no-query default no-digest originserver name=www7
cache_peer 192.168.0.20 parent 80 0 no-query default no-digest originserver name=www8
cache_peer 192.168.0.20 parent 80 0 no-query default no-digest originserver name=www9

cache_peer_domain www1 .domain1.org
cache_peer_domain www2 .domain2.com
cache_peer_domain www3 .domain3.com
cache_peer_domain www4 .domain4.com
cache_peer_domain www5 .domain5.com
cache_peer_domain www6 .domain6.com
cache_peer_domain www7 .domain7.com
cache_peer_domain www8 .domain8.com
cache_peer_domain www9 .domain9.com







acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443 # https
acl SSL_ports port 444 # https
acl SSL_ports port 445 # https
acl SSL_ports port 446 # https
acl SSL_ports port 447 # https
acl SSL_ports port 448 # https
acl SSL_ports port 449 # https

#acl SSL_ports port 563 # snews
#acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 444 # https
acl Safe_ports port 445 # https
acl Safe_ports port 446 # https
acl Safe_ports port 447 # https
acl Safe_ports port 448 # https
acl Safe_ports port 449 # https

#acl Safe_ports port 70 # gopher
#acl Safe_ports port 210 # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280 # http-mgmt
#acl Safe_ports port 488 # gss-http
#acl Safe_ports port 591 # filemaker
#acl Safe_ports port 777 # multiling http
#acl Safe_ports port 631 # cups
#acl Safe_ports port 873 # rsync
#acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

icp_access allow localnet
icp_access deny all




hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid



acl apache rep_header Server ^Apache
acl 192.168.0.20 dstdomain .domain1.org
acl 192.168.0.20 dstdomain .domain2.com

acl 192.168.0.20 dstdomain .domain3.com
acl 192.168.0.20 dstdomain .domain4.com
acl 192.168.0.20 dstdomain .domain5.com
acl 192.168.0.20 dstdomain .domain6.com
acl 192.168.0.20 dstdomain .domain7.com
acl 192.168.0.20 dstdomain .domain8.com
acl 192.168.0.20 dstdomain .domain9.com


http_access allow 192.168.0.20
http_access allow manager localhost
http_access allow manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
broken_vary_encoding allow apache

hosts_file /etc/hosts

coredump_dir /var/spool/squid


cache_effective_user user
cache_effective_group user



---------- Post updated 02-25-10 at 05:14 PM ---------- Previous update was 02-24-10 at 07:02 PM ----------

nvm i figured out how this might work with virtual ip addresses
Last edited by hopper195; 03-03-2010 at 07:15 PM..
# 2  
Old 03-03-2010
guess i was wrong it still doesnt quite work
my new sitiation is

ssl1 virtual ip 192.16.0.1
ssl2 virtual ip 192.16.0.2
ssl3 virtual ip 192.16.0.3
ssl4 virtual ip 192.16.0.4
ssl5 virtual ip 192.16.0.5
etc..

how can i tell which virtual ip to forward to based on domain or is such possible?
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Linux

Apache wildcard ssl on subdomain serves same page for non ssl virtualhosts

Issue observed: I have configured ng.my-site.com using widlcard ssl cert. When I hit https://www.my-site.com it loads ng.my-site.com website! please advise if I missed any concept / configs... Thank you! httpd.conf <VirtualHost *:80> ServerName www.my-site.com ServerAdmin... (0 Replies)
Discussion started by: ashokvpp
0 Replies

2. UNIX for Dummies Questions & Answers

Redirecting requests from 8153 and blocking access to the same

Hey All, Problem: I have a application which runs on port 8153 (http) and on 8154 (https). For design reasons i can not block tcp connections to 8153. How do i forward all requests from http 8153 to https 8154( this would be the ideal solution) Or redirect all requests that come to... (2 Replies)
Discussion started by: Arun Kumar
2 Replies

3. IP Networking

Squid vs iptables = no Squid access.log?

Hello, I have a pretty useless satellite link at home (far from any civilization), so I wanted to set up caching in order to speed things up. My Squid 2.6 runs "3128 transparent" and is set up quite well on a separate machine. I also have my dd-wrt router to move all port 80 traffic through... (0 Replies)
Discussion started by: theWojtek
0 Replies

4. HP-UX

Some I/O requests to this LV are waiting

Hi All I have a blade BL860c running on a C7000 chassis, in which is connected to a NetApp, so lately I am having I/O issues, and dmesg as well as syslog.log is reporting the following: /dev/vg01/lvol2 file system file data error in dev/block 0/55892768 Page I/O error occurred while paging... (2 Replies)
Discussion started by: fretagi
2 Replies

5. Linux

Squid SSL Encryption

Hi guys, I want to configure squid server with SSL so that users send clear text username/password and also data in encrypted mode. i googled but all of the configuration is for reverse proxy not requests from users to proxy server in LAN for example. Is there any solution? (2 Replies)
Discussion started by: majid.merkava
2 Replies

6. Web Development

Apache, cgi script run twice when ssl, once when not ssl

I have interesting problem. https:/host/some/x.cgi - this script has run twice when I call this url But http:/host/some/x.cgi work fine, only once. Output is text/plain. If I change output format to the Content-type text/html, then both urls works fine - executed only once. (2 Replies)
Discussion started by: kshji
2 Replies

7. UNIX for Dummies Questions & Answers

SFTP subsystem requests

Hi there, what is the meaning of this line: SFTP subsystem requests: 5 Time(s) in: /var/mail/root??? Tks in advance, GB (0 Replies)
Discussion started by: Giordano Bruno
0 Replies

8. Infrastructure Monitoring

compiling squid with ssl support

tried to build squid with the following options configure options: '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-underscores' '--enable-referer-log' '--enable-useragent-log'... (0 Replies)
Discussion started by: hopper195
0 Replies

9. UNIX for Dummies Questions & Answers

to enable POP3(ssl) and SMTP(ssl) in Squid

i have configured Squid proxy server in Fedora 8 with two network interfaces. HTTP, HTTPS, FTP are working fine but we are unable to download mails using mail clients from mail server with POP3(ssl) and SMTP(ssl). so please someone help us how to enable pop and smtp in Squid. (1 Reply)
Discussion started by: praneel2k
1 Replies

10. UNIX for Advanced & Expert Users

implicit ssl vs explicit ssl

Can someone explain the difference between the two. Thanks (1 Reply)
Discussion started by: jerardfjay
1 Replies
Login or Register to Ask a Question