[squid-users] SSL termination problem - squid's requests using https
Sam Holden
sam.holden at steeprockinc.com
Wed Sep 18 19:23:26 UTC 2019
On Wed, Sep 18, 2019 at 7:11 AM Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
>
> All these *_port things are a red herring. The initial problem was
> connections to the origin server using HTTPS.
>
> Connections to originserver peer do not send URL scheme, and use the
> settings on the cache_peer directive as the protocol layering and
> message framing. So the http(s)_port options should be having no input
> into the problem. The problem is something in the unknown cache_peer
> settings, or maybe a bug in the new peer selection code.
Thanks.
I think I've got that bit working. The old v3 config didn't have
cache_peers for all of the 150 odd https_port entries the squid server
is running. It was a very old version of 3 so it's likely a default
changed or the config was relying on an old bug/accidental behaviour
to work.
However, I don't understand how to send traffic to different ports on
the same servers. The reverse-proxy faq and sample configs cover
multiple servers and name based virtual hosting but I can't find how
to direct to specific ports.
For example, some test config (with combinations of vhost and vport):
https_port 9000 accel defaultsite=10.240.0.6:80
cert=/etc/pki/tls/cert.crt key=/etc/pki/tls/cert.key vhost
https_port 9001 accel defaultsite=10.240.0.6:81
cert=/etc/pki/tls/cert.crt key=/etc/pki/tls/cert.key vhost
https_port 9002 accel defaultsite=10.240.0.6:80
cert=/etc/pki/tls/cert.crt key=/etc/pki/tls/cert.key no-vhost
https_port 9003 accel defaultsite=10.240.0.6:81
cert=/etc/pki/tls/cert.crt key=/etc/pki/tls/cert.key no-vhost
https_port 9004 accel defaultsite=10.240.0.6
cert=/etc/pki/tls/cert.crt key=/etc/pki/tls/cert.key vport=80 vhost
https_port 9005 accel defaultsite=10.240.0.6
cert=/etc/pki/tls/cert.crt key=/etc/pki/tls/cert.key vport=81 vhost
https_port 9006 accel defaultsite=10.240.0.6
cert=/etc/pki/tls/cert.crt key=/etc/pki/tls/cert.key vport=80 no-vhost
https_port 9007 accel defaultsite=10.240.0.6
cert=/etc/pki/tls/cert.crt key=/etc/pki/tls/cert.key vport=81 no-vhost
http_port 8000 accel defaultsite=10.240.0.6:80 vhost
http_port 8001 accel defaultsite=10.240.0.6:81 vhost
http_port 8002 accel defaultsite=10.240.0.6:80 no-vhost
http_port 8003 accel defaultsite=10.240.0.6:81 no-vhost
http_port 8004 accel defaultsite=10.240.0.6 vport=80 vhost
http_port 8005 accel defaultsite=10.240.0.6 vport=81 vhost
http_port 8006 accel defaultsite=10.240.0.6 vport=80 no-vhost
http_port 8007 accel defaultsite=10.240.0.6 vport=81 no-vhost
cache_peer 10.240.0.6 parent 80 0 no-query no-query originserver
no-digest login=PASSTHRU name=test80
cache_peer 10.240.0.6 parent 81 0 no-query no-query originserver
no-digest login=PASSTHRU name=test81
# end config
Requests to 900[0145] see squid make http connections 10.240.0.6:80.
Requests 900[2367] see squid make https connections to 10.240.0.6 - my
logs don't record the port on the error.
Requests to 800[012456] see squid make http connections to 10.240.0.6:80.
Requests to 800[37] see squid make http connections to 10.240.0.7:81.
So the no-vhost option seems to give me what I want for http_port.
However, when I use an https_port with no-vhost squid's requests are
being done in https instead of http and without no-vhost all the
traffic is directed to port 80 even when 81 is specified in the
https_port line (the same applied to http_port for that part).
I'm sure I'm missing something obvious, I'll be rereading the squid
docs tonight but there's a lot that I don't understand.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list