[squid-users] Reverse Proxy for multiple SSL sites on same server
I am struggling with a setup where I am adding a parent web server behind my reverse proxy that has multiple ssl sites running under the same name but on different ports. The site on the default port 443 works, but I can't get it to forward to the parent on the second site running on port 444. The server is already running several ssl sites on 443 using a UCC SSL cert with subject alternative names Here are the relevant parts of the setup: https_port 10.50.20.10:443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=www.mydomain.com vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 https_port 10.50.20.10:444 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=secure.mydomain.com:444 vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 acl ssl_secure proto HTTPS acl securesite444 url_regex -i ^https://secure.mydomain.com:444/ acl securesite url_regex -i ^https://secure.mydomain.com/ acl parentserver dst 10.20.10.62/32 http_access deny securesite444 !ssl_secure http_access allow securesite444 ssl_secure http_access deny securesite !ssl_secure http_access allow securesite ssl_secure http_access allow parentserver ssl_secure http_access deny ssl_secure cache_peer 10.20.10.62 parent 444 0 ssl no-query originserver name=parent444 sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER cache_peer_domain parent444 secure.mydomain.com cache_peer_access parent444 allow securesite444 ssl_secure cache_peer 10.20.10.62 parent 443 0 ssl no-query originserver name=parent sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER cache_peer_domain parent secure.mydomain.com cache_peer_access parent allow securesite ssl_secure The logs show both the SSL listening ports were started, and both parents configured, however when accessing https://secure.mydomain.com:444/ it reports that it was unable to select source. 2011/01/14 13:49:51| Accepting HTTPS connections at 10.50.20.10:443, FD 71. 2011/01/14 13:49:51| Accepting HTTPS connections at 10.50.20.10:444, FD 72. 2011/01/14 13:49:51| Configuring Parent 10.20.10.62/443/0 2011/01/14 13:49:51| Configuring Parent 10.20.10.62/444/0 2011/01/14 13:49:51| Ready to serve requests. -BEGIN SSL SESSION PARAMETERS- MIGMAgEBAgIDAQQCAC8EIBe26zUEsTBKHRt+Bvw3c9j5XNAArlUDi0Zq6qSncolM BDCuSmhFVdKHBuflZ2nY/N1UPGY8syDnGlUyDEIQdwFdMveOyawuMJmqeVePI2NI eKOhBgIETTCo5aIEAgIBLKQCBACmGQQXb3JzY2hlbG5oci5vcnNjaGVsbi5jb20= -END SSL SESSION PARAMETERS- 2011/01/14 13:49:57| Failed to select source for 'https://secure.mydomain.com:444/' 2011/01/14 13:49:57| always_direct = 0 2011/01/14 13:49:57|never_direct = 0 2011/01/14 13:49:57|timedout = 0 Does anyone have any idea what I am missing in the parent configuration or access rule list that is not allowing the reverse proxy to find and use the parent server? Thanks, Dean Weimer
Re: [squid-users] Reverse Proxy for multiple SSL sites on same server
A few comments inline with your text... On 15/01/11 09:29, Dean Weimer wrote: I am struggling with a setup where I am adding a parent web server behind my reverse proxy that has multiple ssl sites running under the same name but on different ports. The site on the default port 443 works, but I can't get it to forward to the parent on the second site running on port 444. The server is already running several ssl sites on 443 using a UCC SSL cert with subject alternative names Here are the relevant parts of the setup: https_port 10.50.20.10:443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=www.mydomain.com vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 https_port 10.50.20.10:444 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=secure.mydomain.com:444 vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 acl ssl_secure proto HTTPS acl securesite444 url_regex -i ^https://secure.mydomain.com:444/ acl securesite url_regex -i ^https://secure.mydomain.com/ To do this I would add a name= option to http_port for 444 and an ACL that tested for it on traffic. Alternatively you may be able to use the port ACL. (*NOT* the myport one) acl securesite dstdomain secure.mydomain.com acl port444 port 444 or http_port 10.50.20.10:444 ... name=444 acl port444 portname 444 acl securesite dstdomain secure.mydomain.com acl parentserver dst 10.20.10.62/32 http_access deny securesite444 !ssl_secure http_access allow securesite444 ssl_secure http_access deny securesite !ssl_secure http_access allow securesite ssl_secure http_access allow parentserver ssl_secure http_access deny ssl_secure Bit faster config that will save you four slow regex matches: # if it is not HTTPS reject http_access deny !ssl_secure # if it is destined to the local domain or to the local server allow http_access allow securesite http_access allow parentserver http_access deny all NP: this relies on all your traffic being HTTPS and that http_access does not care about the port. In your stated config only the peer selection cares about the port. cache_peer 10.20.10.62 parent 444 0 ssl no-query originserver name=parent444 sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER cache_peer_domain parent444 secure.mydomain.com cache_peer_access parent444 allow securesite444 ssl_secure cache_peer 10.20.10.62 parent 443 0 ssl no-query originserver name=parent sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER cache_peer_domain parent secure.mydomain.com cache_peer_access parent allow securesite ssl_secure Use either cache_peer_domain OR cache_peer_access not both. With the above suggestions these would become: cache_peer_access parent444 allow port444 securesite cache_peer_access parent444 deny all cache_peer_access parent allow !port444 cache_peer_access parent deny all Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
