You don't need to use two different IPs, just two different ports. This is not Squid's fault. From http://en.wikipedia.org/wiki/Virtual_hosting:
Because the SSL handshake takes place before the expected hostname is sent to the server, the server doesn't know which encryption key to use when the connection is made. One workaround is to run multiple web server programs, each listening to a different incoming port, which still allows the system to just use a single IP address. Another option is to do IP aliasing, where a single computer listens on more than one IP address. Chris -----Original Message----- From: LIMA David [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 9:01 AM To: [EMAIL PROTECTED] Subject: [squid-users] RE : [squid-users] SQUID3 + Reverse proxy + OWA: strange error Just for your information, my config is running smoothly, Here are the keys for the config of squid: acl webmail_domains dstdomain webmail.xxx.fr acl www_domains dstdomain www.xxx.fr http_access allow webmail_domains http_access allow www_domains http_access deny all http_reply_access allow all https_port 443 accel vhost cert=/certificats/server.pem key=/certificats/key.pem cafile=/certificats/ca-cert defaultsite=www.xxx.fr cache_peer 172.21.0.63 parent 80 0 no-query originserver login=PASS front- end-https=auto proxy-only name=webmail cache_peer_access webmail allow webmail_domains cache_peer 172.21.0.66 parent 80 0 no-query originserver login=PASS front-end-https=auto proxy-only name=www cache_peer_access www allow www_domains Did someone know if I can have two different ssl certs if I only have one socket for squid ? If no, I have to setup 2 ip on my squid-box and rewrite my nat rules. _________________________________ David LIMA Professional Services www.scc.com -----Message d'origine----- De�: LIMA David Envoy�: lundi 15 novembre 2004 19:39 ��: [EMAIL PROTECTED] Objet�: [squid-users] SQUID3 + Reverse proxy + OWA: strange error Hi all, I'm trying to setup a squid3 to do reverse proxy for OWA running on Exchange 2000 but I can't success: (I have read all posts about OWA + squid but unable to find a clue...) Here is my setup ---------- ------------- ---------------- - CLIENT - ==> :443 - SQUID3 - ==> :80 - [EMAIL PROTECTED] - ---------- ------------- ---------------- When I go to http://webmail.xxx.fr/exchange/ it works, auth + browsing etc ... When I go to https://webmail.xxx.fr/exchange the auth box comes (I use basic auth on OWA), I put my login and password, then the 2 frames of the OWA web site appear but they are blank. When I go to my log files (exchange) I can't find the problem. Here is my setup for squid: ______________________________ http_port 3128 ssl_unclean_shutdown on no_cache deny QUERY acl all src 0.0.0.0/0.0.0.0 acl all-dst dst 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 80 acl Safe_ports port 80 # http acl CONNECT method CONNECT acl owa-exchange urlpath_regex \/exchange(\/|$) acl owa-webid urlpath_regex \/WebID\/ acl owa-host dst 172.21.0.63/255.255.255.255 http_access allow owa-host owa-exchange http_access allow owa-host owa-webid http_reply_access allow all-dst http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all ==> !!!! for testing purpose only !!!! http_access deny all visible_hostname webmail.xxx.fr https_port 443 cert=/certificats/server.pem key=/certificats/key.pem cafile=/certificats/ca-cert defaultsite=webmail.xxx.fr cache_peer webmail.xxx.fr parent 80 0 no-query originserver login=PASS front-end-https=auto proxy-only Here is a sample of my access.log during an unsuccess attempt _____________________________ 4 172.21.1.4 TCP_MISS/401 333 GET https://webmail.xxx.fr/exchange/ - FIRST_UP_PARENT/webmail.xxx.fr text/html 19 172.21.1.4 TCP_MISS/200 1518 GET https://webmail.xxx.fr/exchange/ - FIRST_UP_PARENT/webmail.xxx.fr text/html ==> When I run squid in console mode (squid -d1 -N), I see that an error occur, but after googling and browsing the squid-archive-list I can't find out why: "ClientNegotiateSSL: Error negotiating SSL connection on FD 16" I have a second question: I want that squid serves https://www.xxx.fr on a host, and https://www.xxx.fr/exchange/ or https://webmail.xxx.fr or https://webmail.xxx.fr/exchange/ on a second host ==> it is possible to do that with squid? And if yes, how ? Any help would be greatly appreciated. Thanks a lot. David LIMA Professional Services www.scc.com � � ---------------------------------------------------------------------------- -------------- Ce message contient des informations dont le contenu est susceptible d'�tre confidentiel. Il est destin� au(x) destinataire(s) indiqu�(s) exclusivement. A moins que vous ne fassiez partie de la liste des destinataires, ou que vous soyez habilit� � recevoir le mail � leur place, il vous est interdit de le copier, de l'utiliser ou de d�voiler son contenu � un tiers. Si vous avez re�u cet email par erreur, merci de prendre contact avec l'�metteur. Les opinions exprim�es dans cet e-mail sont celles de l'�metteur et ne refl�tent pas n�cessairement celles de l'entreprise. Ce e-mail peut contenir des pi�ces jointes dont certaines pourraient contenir des virus qui pourraient endommager votre syst�me informatique. La compagnie a pris toutes dispositions afin de minimiser ce risque et d�cline toute responsabilit� pour toute perte ou dommage r�sultant directement ou indirectement de l'utilisation de cet email ou de son contenu. Il vous appartient d'effectuer vos propres contr�les anti-virus avant d'ouvrir la ou les pi�ces jointes. ---------------------------------------------------------------------------- -------------- -
