Squid and stange things like broken SSL certificates?!?
I've been recently put in charge of my companies' webserver, so I'm
still on the steep slope of the learning curve....
My predecessor already bitched about the CMS - it's slow as molasses.
And instead of fixing the code, the vendor wanted to install squid as
reverse proxy to increase performance. Incredibly enough, this has
been nodded through by our manglement. To make things worse, there is
no testbed, so all our tests are done on the production server. And -
you guessed it - Murphy smiles upon me.
The current configuration is:
- RH 2.1 Kernel 2.4.9-e.71smp
- Apache 1.3.27
- Tomcat 4.1.31
- Squid 2.6 Stable 12
So far I've managed to wrestle all this together and got squid to run
as reverse proxy on port 80. However, two sites on this machine also
have SSL certificates. I've reconfigured squid using --enable-ssl, but
there are still plenty of problems when trying to access port 443:
1. The same certificate that works fine with Apache will be considered
as "out of date" when I let squid handle it. It's not a browser
problem, I've checked it with Firefox, Opera and IE. Every time I go
through squid, the certificate shows up as "either expired or not yet
valid." (and yes, the date on the server is correct).
2. The first web page for both sites is just a redirector, containing
a refresh tag
<meta http-equiv="Refresh" content="0; URL=content.jsp" />
which normally works with http and https (both have a content.jsp)
However, as soon as I go through squid this redirection works no
longer. Instead, I'm redirected from the https starting page to the
normal http website.
I've been searching all through the web and usenet, but couldn't find
anything by now. Please let me know what I'm missing!
Here's the squid.conf:
http_port 188.8.131.52:80 accel defaultsite=www.site1.com:80
http_port 184.108.40.206:80 accel defaultsite=www.site2.com:80
https_port 220.127.116.11:443 cert=/etc/httpd/conf/ssl.crt/www.site1.com.crt
https_port 18.104.22.168:443 cert=/etc/httpd/conf/ssl.crt/www.site2.com.crt
cache_peer 22.214.171.124 parent 80 0 no-query originserver name=site1_com
cache_peer 126.96.36.199 parent 80 0 no-query originserver name=site2_com
cache_peer 188.8.131.52 parent 443 0 no-query originserver ssl
cache_peer 184.108.40.206 parent 443 0 no-query originserver ssl
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin
# removed '?' because the CMS generates every URL with a '?'
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 512 MB
cache_dir ufs /home/squidcache 2048 16 256
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern . 1440 50% 1440
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl www_site1_com dstdomain [url]www.site1.com[/url]
acl www_site2_com dstdomain [url]www.site2.com[/url]
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow www_site1_com
http_access allow www_site2_com
http_access deny all
http_reply_access allow all
icp_access allow all
cache_peer_access site1_com allow www_site1_com
cache_peer_access site2_com allow www_site2_com
cache_peer_access site1_com_ssl allow www_site1_com
cache_peer_access site2_com_ssl allow www_site2_com
Any help would be greatly appreciated.