Squid3 Reverse Proxy Help

[KaMZaTa]

What's wrong with my Squid configuration?

Code:

cache_effective_user    squid
cache_effective_group   squid

visible_hostname website1.com

http_port 80 accel defaultsite=website1.com accel
https_port 443 cert=/usr/local/squid/etc/bpoj.crt key=/usr/local/squid/etc/bpoj.key defaultsite=website1.com accel

forwarded_for on



################ SERVER 01 ################

### HTTP ###
cache_peer 192.168.10.52 parent 80 0 no-query no-digest originserver name=SERVER01 login=PASS
acl SITE_SERVER01 dstdomain website1.com
cache_peer_access SERVER01 allow SITE_SERVER01

### HTTPS ###
cache_peer 192.168.10.52 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=SERVER01SSL login=PASS
acl SITE_SERVER01SSL dstdomain website1.com
cache_peer_access SERVER01SSL allow SITE_SERVER01SSL

#############################################



################ SERVER 02 ################

### HTTP ###
cache_peer 192.168.10.53 parent 80 0 no-query no-digest originserver name=SERVER02 login=PASS
acl SITE_SERVER02 dstdomain website2.com
cache_peer_access SERVER02 allow SITE_SERVER02

### HTTPS ###
cache_peer 192.168.10.53 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=SERVER02SSL login=PASS
acl SITE_SERVER02SSL dstdomain website2.com
cache_peer_access SERVER02SSL allow SITE_SERVER02SSL

#############################################



################ SERVER 03 ################

### HTTP ###
cache_peer 192.168.10.54 parent 80 0 no-query no-digest originserver name=SERVER03 login=PASS
acl SITE_SERVER03 dstdomain website3.com
cache_peer_access SERVER03 allow SITE_SERVER03

### HTTPS ###
cache_peer 192.168.10.54 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=SERVER03SSL login=PASS
acl SITE_SERVER03SSL dstdomain website3.com
cache_peer_access SERVER03SSL allow SITE_SERVER03SSL

#############################################



acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


http_access allow SITE_SERVER01
http_access allow SITE_SERVER01SSL
http_access allow SITE_SERVER02
http_access allow SITE_SERVER02SSL
http_access allow SITE_SERVER03
http_access allow SITE_SERVER03SSL
http_access allow manager all
http_access allow localhost manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all


# Squid normally listens to port 3128
#http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

[KaMZaTa]

So, with configuration above Squid works very well on multiple servers on port 80. On port 443 still I have problem: if i try to reach http://www.website1.com is ok, but if I try to reach https://www.website1.com it ask me certificate insecure request and after I proceed the website shows "as incomplete". Load hyperlink and text but not background images.

Is it possible ACL permission problem? Or what else?

[KaMZaTa]

I don't understand... HTTPS work if I remove HTTP references but if I remove HTTP references HTTP does work anymore (the website shows as incomplete. Load hyperlink and text but not background images.):

Code:

cache_effective_user    squid
cache_effective_group   squid

visible_hostname website1.com

http_port 80 accel defaultsite=website1.com accel
https_port 443 cert=/usr/local/squid/etc/bpoj.crt key=/usr/local/squid/etc/bpoj.key defaultsite=website1.com accel

forwarded_for on



################ SERVER 01 ################

### HTTPS ###
cache_peer 192.168.10.52 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=SERVER01SSL login=PASS
acl SITE_SERVER01SSL dstdomain website1.com
cache_peer_access SERVER01SSL allow SITE_SERVER01SSL

#############################################



################ SERVER 02 ################

### HTTPS ###
cache_peer 192.168.10.53 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=SERVER02SSL login=PASS
acl SITE_SERVER02SSL dstdomain website2.com
cache_peer_access SERVER02SSL allow SITE_SERVER02SSL

#############################################



################ SERVER 03 ################

### HTTPS ###
cache_peer 192.168.10.54 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=SERVER03SSL login=PASS
acl SITE_SERVER03SSL dstdomain website3.com
cache_peer_access SERVER03SSL allow SITE_SERVER03SSL

#############################################



acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


http_access allow SITE_SERVER01
http_access allow SITE_SERVER01SSL
http_access allow SITE_SERVER02
http_access allow SITE_SERVER02SSL
http_access allow SITE_SERVER03
http_access allow SITE_SERVER03SSL
http_access allow manager all
http_access allow localhost manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all


# Squid normally listens to port 3128
#http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Why?

[KaMZaTa]

I tried with Nginx and for now seems to works perfectly in http and https protocol for each domain with a wildcard certificate. Now I'll testing deeper. Anyway, nothing new solution for a kind of proxy reverse name-based port for Nginx?

[KaMZaTa]

HTTP and HTTPS as said before it works perfectly with Nginx. Now i'm trying to do a "proxy reverse name-based port" using proxy_pass and alias for domain. I'm trying to access webmin page through https://webmin.website.it and it apparently work. It show me login page but then when I logon it redirect me to https://webmin.website.it:12321/index.php and not to the right page https://webmin.website.it/index.php. Obviusly same thing for alias PHPMYADMIN. Any ideas?


this is my ../nginx/site-available/website1

Code:

###################### HTTP ######################

server {
        listen   80;
        server_name  website.it;

        access_log  /var/log/nginx/access.log;


        location / {
                proxy_pass      http://192.168.10.52;
                include         /etc/nginx/proxy_params;
        }
}




###################### HTTPS ######################

server {
        ### server port and name ###
        listen          443;
        ssl             on;
        server_name     website1.it;

        ### SSL log files ###
        access_log      logs/ssl-access.log;
        error_log       logs/ssl-error.log;

        ### SSL cert files ###
        ssl_certificate      ssl/kamzata.in.crt;
        ssl_certificate_key  ssl/kamzata.in.key;

        ### Add SSL specific settings here ###


        ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers RC4:HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        keepalive_timeout    60;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;

        ### Access to SSL ###
        location / {
                proxy_pass  https://192.168.10.52;

                ### force timeouts if one of backend is died ##
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

                ### Set headers ####
                proxy_set_header        Accept-Encoding   "";
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

                ### Most PHP, Python, Rails, Java App can use this header ###
                #proxy_set_header X-Forwarded-Proto https;##
                #This is better##
                proxy_set_header        X-Forwarded-Proto $scheme;
                add_header              Front-End-Https   on;


                ### By default we don't want to redirect it ####
                proxy_redirect     off;
        }
}




###################### WEBMIN ######################

server {
        ### server port and name ###
        listen          443;
        ssl             on;
        server_name     webmin.website1.it;

        ### SSL log files ###
        access_log      logs/ssl-access.log;
        error_log       logs/ssl-error.log;

        ### SSL cert files ###
        ssl_certificate      ssl/kamzata.in.crt;
        ssl_certificate_key  ssl/kamzata.in.key;

        ### Add SSL specific settings here ###


        ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers RC4:HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        keepalive_timeout    60;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;

        ### Access to SSL ###
        location / {
                proxy_pass  https://192.168.10.52:12321;

                ### force timeouts if one of backend is died ##
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

                ### Set headers ####
                proxy_set_header        Accept-Encoding   "";
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

                ### Most PHP, Python, Rails, Java App can use this header ###
                #proxy_set_header X-Forwarded-Proto https;##
                #This is better##
                proxy_set_header        X-Forwarded-Proto $scheme;
                add_header              Front-End-Https   on;


                ### By default we don't want to redirect it ####
                proxy_redirect     off;
        }
}




###################### PHPMYADMIN ######################

server {
        ### server port and name ###
        listen          443;
        ssl             on;
        server_name     phpmyadmin.website1.it;

        ### SSL log files ###
        access_log      logs/ssl-access.log;
        error_log       logs/ssl-error.log;

        ### SSL cert files ###
        ssl_certificate      ssl/kamzata.in.crt;
        ssl_certificate_key  ssl/kamzata.in.key;

        ### Add SSL specific settings here ###


        ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers RC4:HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        keepalive_timeout    60;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;

        ### Access to SSL ###
        location / {
                proxy_pass  https://192.168.10.52:12322;

                ### force timeouts if one of backend is died ##
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

                ### Set headers ####
                proxy_set_header        Accept-Encoding   "";
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

                ### Most PHP, Python, Rails, Java App can use this header ###
                #proxy_set_header X-Forwarded-Proto https;##
                #This is better##
                proxy_set_header        X-Forwarded-Proto $scheme;
                add_header              Front-End-Https   on;


                ### By default we don't want to redirect it ####
                proxy_redirect     off;
        }
}

As second thing... is there a better way with conditional function to write a better and sort code? Such as...

Code:

if (http://www.website.it)
proxy_pass 192.168.10.52:80;

if (https://www.website.it)
proxy_pass 192.168.10.52:443;

if (https://webmin.website.it)
proxy_pass 192.168.10.52:12321;

if (https://phpmyadmin.website.it)
proxy_pass 192.168.10.52:12322;

etc...

As third thing... is there a way to use url_rewrite to work with ftp service?