Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have setup squid to run as a reverse proxy and redirect to 2 web servers for HTTP traffic. This is currently working. I now want to add HTTPS (SSL) support and not had any luck.
I installed squid 2.7 on Ubuntu 10.4 because this was the default with apt-get install squid.
I tried following THIS guide and I get the following error:
I figured the squid version in the repository is not setup for SSL so I decided to compile it myself. The problem is, EVERY guide I have tried refers to adding a rule in 'debian/rules'. This does NOT exist though!
I used Squid 3 at my previous job and had to compile it in order to support HTTPS so I imagine nothing has changed in that regard in the packages that come with the package manager. I also installed it on Debian but don't recall anything about those 'debian/rules' you mention. Can you provide a link to one of the guides where you saw that?
apt-get source squid
apt-get build-dep squid
apt-get install devscripts build-essential fakeroot
cd squid-2.6.1
vim debian/rules
Add --enable-ssl \ to “# Configure the package” section
It's not just that they're old because I had one for 'lucid' and it also had this debian/rules step.
Could you link me to a relevant how-to which doesn't involve this debian/rules step please? I can use either CentOS5.4 or Ubuntu 10.4, it doesn't really bother me. For now I'll try searching for one specific to squid3.
I had to go through my notes since it's been about 3 years since I've worked with Squid but I found what I used. I downloaded the source code from here and followed this guide. The configure options I used back then are:
You can get a list of available options with their explanations executing:
Code:
./configure --help
There's no mentioning about debian/rules in the Squid wiki I pointed to, nor in my documents from three years ago and I installed Squid on Debian Lenny back then with https as a reversed proxy for multiple domains.
Thanks for the links. I have compiled squid in the same way that you did, changing some directory names. After installing several dependancies, i got it to work. I tried copying my cold squid.conf file over, had to remove the 'all' acl as that is a default in squid3, had to add visible_hostname ip-10-0-0-34 also.
It now starts with no errors but I am unable to connect to it.
Code:
root@ip-10-0-0-34:/var/log/squid# nmap localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-17 03:38 UTC
Interesting ports on localhost (127.0.0.1):
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Does this indicate that more changes are required in my config file to upgrade from version 2.7?
My config file looks pretty similar to this one (i modeled it on this).
That's hard to say without your conf file. Here's the squid.conf I used in combination with that version and build of Squid so you can compare it with yours. I only changed the domain name. I remember there are some differences between version 2.6, 2.7 and version 3.0 but forgot what they are. You could have a look at this document that lists all of the configuration parameters for Squid 3.
Code:
cache_mgr root
#debug_options 61,3 ALL,9
# Basic parameters
visible_hostname www.domain.com
auth_param basic realm domain Security Portal
error_directory /usr/share/squid3/errors/English
# This line indicates the server we will be proxying for
#
http_port 192.168.253.20:80 defaultsite=www.domain.com vhost
https_port 192.168.253.20:443 accel cert=/etc/ssl/domain.crt key=/etc/ssl/domain.key defaultsite=www.domain.com vhost protocol=https
forwarded_for on
# And the IP Address for it - adjust the IP and port if necessary
cache_peer 172.25.2.3 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=aut
acl site_aut dstdomain aut.domain.com
cache_peer_access aut allow site_aut
acl https proto https
cache_peer 172.25.2.3 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=autlog
acl site_autlog dstdomain autlog.domain.com
cache_peer_access autlog allow site_autlog
acl https proto https
cache_peer 172.25.2.5 parent 7002 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=auti2
acl site_auti2 dstdomain auti2.domain.com
cache_peer_access auti2 allow site_auti2
acl https proto https
cache_peer 172.25.2.20 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testfinance
acl site_testfinance dstdomain testfinance.domain.com
cache_peer_access testfinance allow site_testfinance
acl https proto https
cache_peer 172.25.2.21 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testmat
acl site_testmat dstdomain testmat.domain.com
cache_peer_access testmat allow site_testmat
acl https proto https
cache_peer 172.25.2.21 parent 7002 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testmati2
acl site_testmati2 dstdomain testmati2.domain.com
cache_peer_access testmati2 allow site_testmati2
acl https proto https
cache_peer 172.25.2.27 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testaut
acl site_testaut dstdomain testaut.domain.com
cache_peer_access testaut allow site_testaut
acl https proto https
cache_peer 172.25.2.27 parent 7002 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testauti2
acl site_testauti2 dstdomain testauti2.domain.com
cache_peer_access testauti2 allow site_testauti2
acl https proto https
cache_peer 172.25.2.31 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=mat
acl site_mat dstdomain mat.domain.com
cache_peer_access mat allow site_mat
acl https proto https
cache_peer 172.25.2.32 parent 7002 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=mati2
acl site_mati2 dstdomain mati2.domain.com
cache_peer_access mati2 allow site_mati2
acl https proto https
# cache_peer 172.25.2.52 parent 81 0 no-query originserver name=fileserver
# acl site_fileserver dstdomain fileserver.domain.com
# cache_peer_access fileserver allow site_fileserver
cache_peer 172.25.2.55 parent 80 0 no-query originserver name=wiki
auth_param basic program /lib/squid3/squid_ldap_auth -R -b "dc=domain,dc=es" -D "cn=squid,cn=Users,dc=domain,dc=es" -w "trdcomun" -f sAMAccountName=%s -h 172.25.2.25
auth_param basic children 1
auth_param basic credentialsttl 5 minutes
acl site_wiki dstdomain wiki.domain.com
acl wiki_users proxy_auth REQUIRED
# cache_peer 172.25.2.63 parent 80 0 no-query originserver name=webautdev
# acl site_webautdev dstdomain webautdev.domain.com
# cache_peer_access webautdev allow site_webautdev
cache_peer 172.25.2.70 parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=finance
acl site_finance dstdomain finance.domain.com
cache_peer_access finance allow site_finance
acl https proto https
cache_peer 172.25.2.71 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=tradinet
acl site_tradinet dstdomain tradinet.domain.com
cache_peer_access tradinet allow site_tradinet
acl https proto https
cache_peer 172.25.2.84 parent 19080 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=people
acl site_people dstdomain people.domain.com
cache_peer_access people allow site_people
acl https proto https
#cache_peer 172.25.2.199 parent 8080 0 no-query originserver name=acidbase
#acl site_acidbase dstdomain acidbase.domain.com
#cache_peer_access acidbase allow site_acidbase
acl apache rep_header Server ^Apache
# Where the cache files will be, memory and such
cache_dir ufs /var/spool/squid3 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 128 KB
# Log locations and format
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid3/access.log combined
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
logfile_rotate 10
hosts_file /etc/hosts
# Basic ACLs
# acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl whitelist dstdomain aut.domain.com autlog.domain.com auti2.domain.com mat.domain.com mati2.domain.com testfinance.domain.com testmat.domain.com testmati2.domain.com testauti2.domain.com testaut.domain.com finance.domain.com tradinet.domain.com people.domain.com
acl http proto http
acl https proto https
acl port_80 port 80
acl port_443 port 443
acl wiki_users proxy_auth REQUIRED
#
# Add this at the top of the http_access section of squid.conf
#
#http_reply_access allow all
#http_access deny site_people CONNECT !SSL_ports
#http_access allow manager localhost
#http_access deny manager
#http_access allow purge localhost
#http_access deny purge
#http_access deny !Safe_ports
#http_access allow localhost
# rules allowing non-authenticated users
http_access allow http port_80 whitelist
http_access allow CONNECT port_443 whitelist
# rules allowing authenticated users
http_access allow http port_80 REQUIRED
http_access allow CONNECT port_443 REQUIRED
# catch-all rule
http_access deny all
url_rewrite_program /etc/squid3/redirect-to-secure.pl
url_rewrite_access deny CONNECT SSL_ports
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid3
emulate_httpd_log on
redirect_rewrites_host_header off
buffered_logs on
# Do not cache cgi-bin, ? urls, posts, etc.
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl POST method POST
no_cache deny QUERY
no_cache deny POST
Is there something further I need to do in order to even get it listening on port 433?
Code:
root@ip-10-0-0-34:/etc/squid3# nmap localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-21 04:08 UTC
Interesting ports on localhost (127.0.0.1):
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
As you can see, only http (port 80) is working with that config file.
SSL is definiately enabled else I'd be getting errors about HTTPS_PORT not being recognized.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.