On Tue, 24 Aug 2004, Brad Taylor wrote:
This should be the public domain name.
-- I'm using it for testing. Will it work OK for testing?
Depends on your web server.
This has effect on what the Host header will be when the request is forwarded to your web server.
will "httpd_accel_with_proxy off" still use reverse cache? I only want squid to cache the accelerated web site.
Yes.
why this? Does your web server require a the use of a client certificate to access the server?
-- Yes, client has to use https.
Yes, but does clients accessing your https:// backend web server directly have to present a presonal SSL certificate for authentication purposes to your web server?
Most likely you web server redirects the user back to 192.168.60.100.
-- Why? Everything looks to be setup correctly, right? I've seen cach_peer talked about with SSL. Is that only for multiple Squid boxes?
Web servers very often sends redirects. When they do these redirects contain the exact full URL the web server thinks it is it's public name and how it is supposed to be accessed.
When there is a mismatch between how the web server thinks it is supposed to be accessed and real life (i.e. due to a reverse proxy infront) extreme care needs to be taken to make sure the web servers idea of how it is supposed to be addressed does not leak out to the user.
A trivial example is when you request a directory, but do not include the trailing slash.
I.e. if index.html is the default index page configured on your server and the server has the page http://example.com/marketing/index.html if the user then request http://example.com/marketing (not http://example.com/marketing/) the web server will send a redirect telling the browser "to get the page you have requested you must go to http://example.com/marketing/";
If you then have a reverse proxy infront of this listening on another server name such as http://www.exampel.org/ then this redirect will move the user off from the reverse proxy to trying to access http://example.com/marketing/ directly.
To make things worse many dynamic applications (CGI, ASP or whatever dynamic technology) quite often renders absolute URLs into the returned HTML code with what the application thinks is the public URL in how the application is supposed to be addressed. This means that even if the user accessed http://www.example.org/economy_db/ it may be the case that the HTML content returned by the application running there will contain absolute links to http://example.com/economy_db/
"log_mime_hdrs on", and study access logs of both Squid and you web servers.
1093381355.430 21 192.168.60.154 TCP_MISS/302 492 GET http://192.168.60.100/ - DIRECT/192.168.60.100 text/html
This is not with "log_mime_hdrs on".
Regards Henrik
