squid代理https網站
最近有需求:
1: squid 緩存代理 https 網站
2: 後端的https站點的程序需要記錄到來訪者的真實ip
分析: squid老版本不支持https ,從2.6開始支持https吧,需要編譯的時候加上 "--enable-ssl"
而且有很多說法"squid 緩存https沒意義,而且緩存可能會引起應用程序上的問題 ..."
,起碼最少有優點,squid 可以掩飾後端https 的真實ip地址.....
我參考了squid 官方的文章
這是一個代理多個https 站點的例子,很不錯
############################################
說明:Squid Configuration File
This configuration MUST appear at the top of squid.conf above any other forward-proxy configuration (http_access etc). Otherwise the standard proxy access rules block some people viewing the accelerated site.
###配置開始
https_port 443 cert=/usr/newrprgate/CertAuth/testcert.cert key=/usr/newrprgate/CertAuth/testkey.pem defaultsite=mywebsite.mydomain.com vhost
# First HTTPS peer
cache_peer 10.112.62.20 parent 80 0 no-query originserver login=PASS name=websiteA
acl sites_server_1 dstdomain websiteA.mydomain.com
cache_peer_access websiteA allow sites_server_1
http_access allow sites_server_1
# Second HTTPS peer
cache_peer 10.112.143.112 parent 80 0 no-query originserver login=PASS name=mywebsite
acl sites_server_2 dstdomain mywebsite.mydomain.com
cache_peer_access mywebsite allow sites_server_2
http_access allow sites_server_2
# Third HTTPS peer
cache_peer 10.112.90.20 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=websiteB
acl sites_server_3 dstdomain websiteB.mydomain.com
cache_peer_access websiteB allow sites_server_3
http_access allow sites_server_3
# Security block for non-hosted sites
http_access deny all
############################################
配置尚未成功,繼續修改測試中,如果大家有成功的案例,希望分享,謝謝!
《解決方案》
本帖最後由 也彈吉他 於 2010-03-04 17:29 編輯
https_port 443 cert=/etc/squid/SSL/server.crt key=/etc/squid/SSL/server.key version=1 defaultsite=oct.webdev.com vhost
cache_peer xx.xx.xx.xx parent 443 0 no-query no-digest originserver ssl sslflags=DONT_VERIFY_PEER name=oct
acl ssl_server_1 dstdomain oct.webdev.com
cache_peer_access oct allow ssl_server_1
http_access allow ssl_server_1
我天下了如下配置,並且把後端的https 上的兩個key 複製到了squid上,
客戶端IE報錯
ERROR
The requested URL could not be retrieved
--------------------------------------------------------------------------------
While trying to retrieve the URL: https://oct.webdev.com/
The following error was encountered:
Connection to oct Failed
The system returned:
(71) Protocol errorThe remote host or network may be down. Please try the request again.
###########################################
找到的官方的對於這個報錯的解釋,好像沒實質的作用
客戶端IE報錯:
accept failure: (71) Protocol error
This error message is seen mostly on Solaris systems. Mark Kennedy gives a great explanation:
Squid日誌報錯:
2010/03/04 17:27:51| fwdNegotiateSSL: Error negotiating SSL connection on FD 20: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure (1/0/0)
2010/03/04 17:27:51| TCP connection to 58.215.82.151/443 failed
2010/03/04 17:27:52| fwdNegotiateSSL: Error negotiating SSL connection on FD 20: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure (1/0/0)
官方解釋:
Error 71 is an obscure way of reporting that clients made it onto your server's TCP incoming connection queue but the client tore down the connection before the server could accept it. I.e. your server ignored its clients for too long. We've seen this happen when we ran out of file descriptors. I guess it could also happen if something made squid block for a long time.
