Hi everybody,

I've been recently put in charge of my companies' webserver, so I'm
still on the steep slope of the learning curve....

My predecessor already bitched about the CMS - it's slow as molasses.
And instead of fixing the code, the vendor wanted to install squid as
reverse proxy to increase performance. Incredibly enough, this has
been nodded through by our manglement. To make things worse, there is
no testbed, so all our tests are done on the production server. And -
you guessed it - Murphy smiles upon me.

The current configuration is:
- RH 2.1 Kernel 2.4.9-e.71smp
- Apache 1.3.27
- Tomcat 4.1.31
- Squid 2.6 Stable 12

So far I've managed to wrestle all this together and got squid to run
as reverse proxy on port 80. However, two sites on this machine also
have SSL certificates. I've reconfigured squid using --enable-ssl, but
there are still plenty of problems when trying to access port 443:

1. The same certificate that works fine with Apache will be considered
as "out of date" when I let squid handle it. It's not a browser
problem, I've checked it with Firefox, Opera and IE. Every time I go
through squid, the certificate shows up as "either expired or not yet
valid." (and yes, the date on the server is correct).

2. The first web page for both sites is just a redirector, containing
a refresh tag

which normally works with http and https (both have a content.jsp)

However, as soon as I go through squid this redirection works no
longer. Instead, I'm redirected from the https starting page to the
normal http website.

I've been searching all through the web and usenet, but couldn't find
anything by now. Please let me know what I'm missing!

Here's the squid.conf:
http_port accel defaultsite=www.site1.com:80
http_port accel defaultsite=www.site2.com:80

https_port cert=/etc/httpd/conf/ssl.crt/www.site1.com.crt
key=/etc/httpd/conf/ssl.key/www.site1.com.key accel
https_port cert=/etc/httpd/conf/ssl.crt/www.site2.com.crt
key=/etc/httpd/conf/ssl.key/www.site2.com.key accel

cache_peer parent 80 0 no-query originserver name=site1_com
cache_peer parent 80 0 no-query originserver name=site2_com
cache_peer parent 443 0 no-query originserver ssl
cache_peer parent 443 0 no-query originserver ssl

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin
# removed '?' because the CMS generates every URL with a '?'
cache deny QUERY

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_mem 512 MB
cache_dir ufs /home/squidcache 2048 16 256

access_log /usr/local/squid/var/logs/access.log squid

refresh_pattern . 1440 50% 1440

acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl www_site1_com dstdomain www.site1.com
acl www_site2_com dstdomain www.site2.com
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports

http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow www_site1_com
http_access allow www_site2_com

http_access deny all

http_reply_access allow all

icp_access allow all

cache_peer_access site1_com allow www_site1_com
cache_peer_access site2_com allow www_site2_com
cache_peer_access site1_com_ssl allow www_site1_com
cache_peer_access site2_com_ssl allow www_site2_com

coredump_dir /usr/local/squid/var/cache

Any help would be greatly appreciated.