[squid-users] cache_peer directive with SNI
hectorchan at gmail.com
Wed Jun 22 05:09:21 UTC 2016
Have you looked at the options forceddomain and ssldomain under the
cache_peer directive? Those may be just what you need.
On Tue, Jun 21, 2016 at 8:14 PM, Kristopher Lalletti <kristopher at lalletti.ca
> Hi All,
> I'm replacing an Apache setup as a reverse-proxy with Squid v3.5, and I've
> hit a small snag.
> Basically, I need to tell squid to pass the proper SSL SNI name to the
> backend webserver which is accessed via SSL, and naturally, the SSL SNI
> service-name (service.foo.com) is not the server-hostname (
> webserver1.foo.com), because I've got 3 servers providing for that
> Valid Request to my backend server:
> curl --verbose --resolve service.foo.com:10.10.10.10
> Bad requests to my backend server:
> curl --verbose --header 'Host: service.foo.com'
> curl --verbose https://webserver1.foo.com/
> curl --verbose https://10.10.10.10/
> I've looked at the configuration that was generated for the cached_peer,
> and it came to this:
> cache_peer webserver1.foo.com parent 443 0 proxy-only no-query no-digest
> originserver login=PASSTHRU connection-auth=on round-robin ssl
> sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_webserver1
> Unfortunately, cached_peer doesn't seem to have any directives about this,
> which leads me to believe there may be a magic SSL Squid ACL that would
> tell the cache_peer to transpose the requested hostname as part of the SSL
> SNI hello message, or something like this...
> Any advice/orientation to approach the problem would be much appreciated.
> squid-users mailing list
> squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users