[squid-users] Squid-2.6.5 SSL reverse proxy ?

From: Stonie <andrew_at_stonie.net>
Date: Mon, 19 Oct 2009 20:33:49 +1100

Hello All,

I’m running Squid-2.6.5 as a reverse proxy compiled with SSL support,
but having trouble getting SSL working.

I have Squid setup to distribute requests to several backend apache
and IIS servers.
My config has been working fine on port 80 plain http. However I am
now trying to secure one of the servers with SSL on 443.
I have read the wiki and the following example config:
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
and have also trawled the web, without luck.

One difference is don’t have a wildcard cert, just cert for a single
address, I have installed it in both the Squid machine and the Apache
machine. The apache machine serves SSL when I use a host entry, so I’m
sure that’s it’s working.

When I use the following squid.conf (below) Squid starts without any
problems and asks me for the certs pass phrase, then when I make a SSL
browser request I get connection refused? port 80 works fine?
Nothing of note in the access or cache logs? I have tried all sorts
of permutations and I'm lost! :( Any help appreciated.

Kind regards,
Stonie.

https_port 443 cert=/root/mysslsite.crt key=/root/mysslsite.key
defaultsite=www.mysslsite.com.au vhost vport
http_port 80 vhost vport
forwarded_for on
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# Setup for server number one and its sites

cache_peer 192.168.1.202 parent 80 0 no-query originserver
name=tracServer login=PASS
acl tracSites dstdomain src.xxxx.net
cache_peer_access tracServer allow tracSites
http_access allow tracSites

# Setup for server number two and its sites

cache_peer 192.168.1.201 parent 80 0 no-query originserver
name=MS08-Web login=PASS
acl MS08-WebSites dstdomain www.xxxx.com
cache_peer_access MS08-Web allow MS08-WebSites
http_access allow MS08-WebSites

# Setup for server number three and its sites

cache_peer 192.168.1.206 parent 80 0 no-query originserver
name=JoomlaServer login=PASS
cache_peer 192.168.1.206 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER name=JoomlaServerSSL
acl JoomlaSites dstdomain www.mysslsite.com.au
cache_peer_access JoomlaServer allow JoomlaSites
cache_peer_access JoomlaServerSSL allow JoomlaSites
http_access allow JoomlaSites

# standard security stuff squid

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow all

# HTTP Extensions for Subversion

extension_methods REPORT MERGE MKACTIVITY CHECKOUT
Received on Mon Oct 19 2009 - 09:33:57 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 20 2009 - 12:00:03 MDT