Re: [squid-users] Forcing Header in Reverse Proxy

Mon, 16 Jan 2012 17:31:05 -0800 

On 17.01.2012 11:21, Roman Gelfand wrote:

fair enough.

How would you, then, implement the following...

I would like to forward https://xyz.mydomain.com/server1 to
http://server1.mydomain.com and https://xyz.mydomain.com/server2 to
http://server2.mydomain.com. Please, keep in mind, the target server 
is apache and it has servername tag which depends on header.
The "/server1" and "/server2" bits will get complex to strip and re-add properly. 

At first glance you probably want something like this in Apache:

server 1 config:
 <VirtualHost xyz.domain.com:80>
    ...

    RewriteEngine On
    RewriteBase   /server1
    Alias /server1   /some/file/path
 </VirtualHost>


server 2 config:
 <VirtualHost xyz.domain.com:443>
    ...

    RewriteEngine On
    RewriteBase   /server2
    Alias /server2   /some/file/path
 </VirtualHost>
HOWEVER, I notice the http:// and https:// difference. A small alteration to the Squid config should work with a simpler Apache setup: 

  squid.conf:
  http_port 80 accel vhost ...
  https_port 443 accel vhost ...

  acl site dstdomain xyz.mydomain.com

  cache_peer server1.mydomain.com 80 0 originserver name=httpServer
  acl HTTP proto HTTP
  cache_peer_access httpServer HTTP site
  cache_peer_access httpServer deny all

  cache_peer server2.mydomain.com 80 0 originserver name=secureServer
  acl HTTPS proto HTTPS
  cache_peer_access secureServer HTTPS site
  cache_peer_access secureServer deny all


server 1 config:
 <VirtualHost xyz.domain.com:80>
    DocumentRoot /http/file/path
 </VirtualHost>


server 2 config:
 <VirtualHost xyz.domain.com:443>
    DocumentRoot /secure/file/path
 </VirtualHost>
The https:// traffic should be exiting Squid with Host header of "xyz.domain.com:443" anyway for the VirtualHost to pick up on, since the receiving https_port 443 is not the default port for http:// which it is being converted to on outgoing to Apache.
You could also add "ssl sslflags=DONT_VERIFY_PEER" on secureServer to use self-signed certificates which keep the traffic secure between the Apache and Squid without triggering any errors or other problems. It also has the nice side effect of ensuring Apache is aware of the port and security differences in the traffic. 

Amos

Reply via email to