Home / server / Questions / 118055
Accepted
tylerl
Asked: 2010-03-02 13:18:06 +0800 CST

Squid reverse proxy with optional SSL

  • 772

I'm trying to set up squid as a load-balancing reverse-proxy, and I'm having a bit of trouble with the SSL. One of the site's applications checks to see if a site is loaded over SSL, and behaves differently if that is the case, so I need SSL connections to be proxied over SSL, and non-SSL connections to be proxied without it.

Right now, the squid server accepts connections over HTTP and HTTPS, but it only makes connections over HTTP to the upstream servers.

The interesting part of my squid configuration looks like this:

http_port 80 vhost vport
https_port 443 vhost vport  cert=/etc/cert.pem key=/etc/cert.key
cache_peer 10.0.0.10 parent 80 0 originserver round-robin
cache_peer 10.0.0.11 parent 80 0 originserver round-robin

Is there a simple way to tell it to proxy the SSL connections upstream over SSL, while leaving the others alone?

proxy squid ssl reverse-proxy

1 Answers

  1. Best Answer

    UPDATE (actually tried this from my squid...):

    acl is_ssl port 443
https_port 443 cert=<yourcert> key=<yourkey> accel name=site_ssl defaultsite=<y\
our_external_site>
cache_peer <your_internal_ssl> parent 443 0 no-query originserver ssl sslflags=\
DONT_VERIFY_PEER name=site_ssl
cache_peer_access site_ssl allow is_ssl
cache_peer_access site_ssl deny !is_ssl

acl nonssl port 80
http_port 80 accel defaultsite=<your_external_site>  name=site_nonssl
cache_peer <your_internal_nonssl> parent 80 0 no-query name=site_nonssl origins\
erver
cache_peer_access site_nonssl allow nonssl
cache_peer_access site_nonssl deny !is_nonssl

    ORIGINAL ANSWER BELOW HERE:

    you want something like 

    cache_peer 10.0.0.11 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=site_ssl
acl sites_server_3 dstdomain site_ssl
cache_peer_access site_ssl allow ssl_servers
http_access allow ssl_servers
    • 4