Re: [squid-users] Squid web acceleration for two
On Thu, 11 Dec 2003, Duane Wessels wrote: > openssl rsa -in private-key -out private-key.no-passphrase > > This is arguably a bad idea, but will allow you to start Squid as you want. Not worse than having the pass phrase in some script... But it is true that Squid should be extended to somehow allow entering of pass phrase on startup even when using daemon mode. Just how this is to be done with the current daemon mode implementation where Squid becomes a daemon before even reading the squid.conf is a little bit tricky. But if we change Squid to first read squid.conf and then become a daemon then there is no problem doing this. Regards Henrik
Re: [squid-users] Squid web acceleration for two
On Wed, 10 Dec 2003 [EMAIL PROTECTED] wrote: > This brings me to another problem of starting squid from a script. When > starting squid using -NCd1 for testing, squid prompts me for the PEM pass > phrase during SSL initialization, which I type and squid runs happily > along. But when starting in daemon mode (without the -N option) I am never > prompted for the pass phrase, squid does not start, it dies. To use SSL certificates in daemon mode you need to use unencrypted private keys without a pass phrase. openssl rsa -in your_encrypted_key.pem -out plain_key.pem Regards Henrik
Re: [squid-users] Squid web acceleration for two
Duane W. -- Buy my book: http://squidbook.org/ On Wed, 10 Dec 2003 [EMAIL PROTECTED] wrote: > > Thanks much! Yes, pid_filename is an odd directive, no wonder I overlooked > that. ;) And that was the trick. By adding pid_filename "none", two > instances of squid will run, each using it's own conf file with unique > https_port directives. > > This brings me to another problem of starting squid from a script. When > starting squid using -NCd1 for testing, squid prompts me for the PEM pass > phrase during SSL initialization, which I type and squid runs happily > along. But when starting in daemon mode (without the -N option) I am never > prompted for the pass phrase, squid does not start, it dies. > > How can I pass the pass phrase to squid so that it starts automatically > like from a script or on reboot? Probably you cannot without making some modifications to the source code. What you can do, however, is remove the passphrase from your (RSA) key with a command like this: openssl rsa -in private-key -out private-key.no-passphrase This is arguably a bad idea, but will allow you to start Squid as you want. Duane W.
Re: [squid-users] Squid web acceleration for two
Thanks much! Yes, pid_filename is an odd directive, no wonder I overlooked that. ;) And that was the trick. By adding pid_filename "none", two instances of squid will run, each using it's own conf file with unique https_port directives. This brings me to another problem of starting squid from a script. When starting squid using -NCd1 for testing, squid prompts me for the PEM pass phrase during SSL initialization, which I type and squid runs happily along. But when starting in daemon mode (without the -N option) I am never prompted for the pass phrase, squid does not start, it dies. How can I pass the pass phrase to squid so that it starts automatically like from a script or on reboot? Thanks again, Jerry.
Re: [squid-users] Squid web acceleration for two
On Wed, 10 Dec 2003 [EMAIL PROTECTED] wrote: > The problem is that the registered certificate that squid is configured > with has a name mismatch with the second web site being reverse-proxied. Reverse proxies does not solve the one-domain-per IP:PORT restriction of SSL. If you want to reverse-proxy multiple https server names then you need one https_port with it's own certificate per domain just as you would need one server definition per domain on a real https web server. If both are different hosts in the same domain then you may be able to use a wildcard certificate to cut down on the number of SSL ports needed, but it should be noted that most CA charges excessively much for signing wildcard certificates. > I also tried to run two instances of squid with the second binding to > different ports (like 444, instead of 443) but the second version of squid > detects that squid is already running and refuses to start. Is there a way > to run another copy of squid so I can configure for the second certificate? Just make sure both instances does not share anything. The easiest way is to install two Squids with different prefix, but it is also possible to use different squid.conf which gives different paths to all required. > I could not find a pid file if that is what squid uses as a marker. It is specified in squid.conf with the strangely named pid_filename directive... Regards Henrik
[squid-users] Squid web acceleration for two
Hello, I am running squid as a https web accelerator and I need to add another web server to be proxied. Here is the picture: [internet-user] https> [squid] -http> [intranet-webservers] The problem is that the registered certificate that squid is configured with has a name mismatch with the second web site being reverse-proxied. It all works fine, but the user sees a warning and must click OK to continue. I need to get rid of that pop-up warning by using a registered certificate for the new web site. Questions: Is there a way to run squid with multiple (two) certificates and configure squid to use a given one if a given web site is accessed? I also tried to run two instances of squid with the second binding to different ports (like 444, instead of 443) but the second version of squid detects that squid is already running and refuses to start. Is there a way to run another copy of squid so I can configure for the second certificate? I could not find a pid file if that is what squid uses as a marker. Thanks for your help or suggestions, Jerry.