[squid-users] cache_peer directive with SNI
Kristopher Lalletti
kristopher at lalletti.ca
Wed Jun 22 03:14:54 UTC 2016
Hi All,
I'm replacing an Apache setup as a reverse-proxy with Squid v3.5, and I've hit a small snag.
Basically, I need to tell squid to pass the proper SSL SNI name to the backend webserver which is accessed via SSL, and naturally, the SSL SNI service-name (service.foo.com) is not the server-hostname (webserver1.foo.com), because I've got 3 servers providing for that service-name.
Valid Request to my backend server:
curl --verbose --resolve service.foo.com:10.10.10.10 https://service.foo.com/
Bad requests to my backend server:
curl --verbose --header 'Host: service.foo.com' https://webserver1.foo.com/
curl --verbose https://webserver1.foo.com/
curl --verbose https://10.10.10.10/
I've looked at the configuration that was generated for the cached_peer, and it came to this:
cache_peer webserver1.foo.com parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_webserver1
Unfortunately, cached_peer doesn't seem to have any directives about this, which leads me to believe there may be a magic SSL Squid ACL that would tell the cache_peer to transpose the requested hostname as part of the SSL SNI hello message, or something like this...
Any advice/orientation to approach the problem would be much appreciated.
Cheers
Kris
More information about the squid-users
mailing list