Hello, I've setup successfully a Squid Reverse Proxy using the How To Set Up A Caching Reverse Proxy With Squid 2.6 although with some differences. I installed Squid 3 stable 16 on a Debian 5.0 Lenny server. I also installed it with SSL support, created my own self-signed wildcard certificate, LDAP authentication against our domain and everything. Everything is working fine, http, https, the certificate, ... but... I have like 6 http intranet sites and 1 https intranet site. I can successfully connect to the http sites using http://site1.domain.com but it also accepts https://site1.domain.com. The same, reverse, is true for the https site. I connect to https://sslsite.domain.com accept the exception for the certificate and get connected. But also using http://sslsite.domain.com I get connected to that site. 1. How do I have to change my configuration so that the https site is only accessible using https connection, dropping all that try to connect to that site using http? 2. When I use https://site1.domain.com to connect to a http site, after authentication it changes the url to http://site1.domain.com. Does this mean that Squid detects that the destination site is a http site and changes the URL accordingly? If this is true would my problem be solved by only accepting https connections? Here's my squid config. I really hope someone can help me out. Code: cache_mgr root # Basic parameters visible_hostname www.domain.com auth_param basic realm Domain Security Portal # This line indicates the server we will be proxying for http_port 80 defaultsite=www.domain.com vhost # And the IP Address for it - adjust the IP and port if necessary cache_peer XXX.XXX.XXX.73 parent 80 0 no-query originserver name=site1 acl site_site1 dstdomain site1.domain.com cache_peer_access site1 allow site_site1 cache_peer XXX.XXX.XXX.27 parent 80 0 no-query originserver name=site2 acl site_site2 dstdomain site2.domain.com cache_peer_access site allow site_site2 cache_peer XXX.XXX.XXX.21 parent 80 0 no-query originserver name=site3 acl site_site3 dstdomain site3.domain.com cache_peer_access site3 allow site_site3 cache_peer localhost parent 8080 0 no-query originserver name=acidbase acl site_acidbase dstdomain acidbase.domain.com cache_peer_access acidbase allow site_acidbase https_port XXX.XXX.XXX.78:443 accel cert=/etc/ssl/domaincert.pem key=/etc/ssl/domainkey.pem cafile=/etc/ssl/CA/cacert.pem defaultsite=sslsite.domain.com vhost protocol=https forwarded_for on cache_peer XXX.XXX.XXX.84 parent 19080 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=sslsite acl site_sslsite dstdomain sslsite.domain.com cache_peer_access sslsite allow site_sslsite acl https proto https acl apache rep_header Server ^Apache # Where the cache files will be, memory and such cache_dir ufs /var/spool/squid3 10000 16 256 cache_mem 256 MB maximum_object_size_in_memory 128 KB # Log locations and format #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid3/access.log combined cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid3/store.log logfile_rotate 10 hosts_file /etc/hosts # Basic ACLs # acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 # https acl Safe_ports port 80 acl Safe_ports port 443 acl purge method PURGE acl CONNECT method CONNECT auth_param basic program /lib/squid3/squid_ldap_auth -R -b "dc=domain,dc=com" -D "cn=ldapuser,cn=Users,dc=domain,dc=com" -w "password" -f sAMAccountName=%s -h ldapserver auth_param basic children 5 acl ldap_users proxy_auth REQUIRED # # Add this at the top of the http_access section of squid.conf # http_access allow ldap_users http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access allow localhost http_access allow all http_access allow all http_reply_access allow all icp_access allow all cache_effective_group proxy coredump_dir /var/spool/squid3 emulate_httpd_log on redirect_rewrites_host_header off buffered_logs on # Do not cache cgi-bin, ? urls, posts, etc. hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? acl POST method POST no_cache deny QUERY no_cache deny POST Kind regards, Eric
