I already have a squid reverse proxy working for two test sites.
My two sites are www.test1.com and www.test2.com
My current working config file looks like this
/etc/squid3/squid.conf
acl test1_acl dstdomain www.test1.com
acl test2_acl dstdomain www.test2.com
aclSSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access allow pi1_acl
http_access allow pi2_acl
http_access allow localhost
http_access deny all
http_port 80 accel defaultsite=127.0.0.1
cache_peer 192.168.1.x parent 80 0 proxy-only name=test1
cache_peer 192.168.1.y parent 80 0 proxy-only name=test2
cache_peer_access test2 allow test2_acl
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 20% 2880
refresh_pattern . 0 20% 4320
As I said, this configuration works, but I wanted to add a couple of https sites. I did my best to follow the example here, but it's already set up a little bit different than their recommended config format (or at least the format that it comes in by default).
More information on the https site that I want to forward to:
-
It already has a .key and .crt file, and https works fine on it.
-
I copied the .key and .crt file onto the squid box, and reference the location of those files in the config file. (not sure if I'm supposed to leave the .crt and .key file on the server, but I did)
-
I haven't made any other changes on the server…so if I was supposed to, I haven't seen that anywhere.
Here is my new config file.
/etc/squid3/squid.conf
#new lines
https_port 443 accel defaultsite=127.0.0.1 cert=/path/to/myCert.crt key=/path/to/myKey.key
acl newServer_acl dstdomain www.newserver.com
http_access allow newServer_acl
cache_peer 192.168.1.z parent 443 0 proxy-only name=newserver ssl sslcafile=/path/to/myCert.crt
#end new lines
acl test1_acl dstdomain www.test1.com
acl test2_acl dstdomain www.test2.com
aclSSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access allow pi1_acl
http_access allow pi2_acl
http_access allow localhost
http_access deny all
http_port 80 accel defaultsite=127.0.0.1
cache_peer 192.168.1.x parent 80 0 proxy-only name=test1
cache_peer 192.168.1.y parent 80 0 proxy-only name=test2
cache_peer_access test2 allow test2_acl
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 20% 2880
refresh_pattern . 0 20% 4320
This is my first time setting up a reverse proxy with squid, or with an https site, so I'm sure it's a small mistake, but I've looked through other config files, and can't seem to find a problem.
Any help is appreciated.
Best Answer
From my research, it doesn't look like this is a simple config file problem. Squid has to be compiled using a
--enable-sslflag, and this appears to be fairly difficult with Debian based distros. It looks to me like squid is more ideal for RPM based distros. See here for more info.I'm going to mark this as an answer for now, unless someone posts something else that makes more sense later.