Secure connections with accelerator cache

Several scripts on my server respond differently based on whether or
not they are being accessed with a secure connection. I set up Squid
as an accelerator-cache (reverse proxy) in front of this server, and
all of a sudden these scripts don't detect the secure connection. I
assume Squid is connecting to them over an unsecured connection even
though it is accepting the secure connections. Can someone tell me how
to set up squid to connect securely, or give me hints on which
directives I should look at? I'm not using client certs or anything,
so that's not an issue.

Thanks,
-Brian

--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

On Tue, Nov 3, 2009 at 1:16 PM, Brian Mearns <bmearns@...> wrote:
Well, I found a solution, though I'm not sure it's the correct way to
do it. In addition to adding a separate cache_peer the uses SSL and
connects on port 443, I also set up cache_peer_access rules that only
allow each cache_peer to be used for the correct connection type. If
anyone can comment on this (whether or not it's a good way to do it,
or if there are other/better/more-common ways to do it), I would very
much appreciate it.

#Set up an unsecured port to work in accelerator/reverse proxy mode.
 http_port 3128 accel defaultsite=brianpmearns.com vhost

 #Set up a secure port to work in accelerator/reverse proxy mode.
 https_port 3129 cert=/opt/apache2/conf/ssl/cert.pem
key=/opt/apache2/conf/ssl/privkey.pem accel
defaultsite=brianpmearns.com vhost


 ###These were the key lines for getting the proxy to connect to the
server with HTTPS...

 #First, define two different "peer" "caches", the first for secure
connections, the second for unsecure.
 cache_peer localhost parent 443 0 no-query originserver login=PASS
ssl name=secureLocalhost sslflags=DONT_VERIFY_PEER
 cache_peer localhost parent 80 0 no-query originserver login=PASS
name=unsecureLocalhost

 #Second, define a new ACL called "https" which is used for HTTPS
protocol requests. Likewise for HTTP.
 acl https proto HTTPS
 acl http  proto HTTP

 #Now, only allow it to connect to the secureLocalhost "peer" for
secure connections.
 cache_peer_access secureLocalhost allow https
 cache_peer_access secureLocalhost deny !https

 #And just to be safe, make sure it can't choose the unsecured "peer"
for secure connections.
 cache_peer_access unsecureLocalhost allow http
 cache_peer_access unsecureLocalhost deny https



--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

tis 2009-11-03 klockan 21:41 -0500 skrev Brian Mearns:

> Well, I found a solution, though I'm not sure it's the correct way to
> do it. In addition to adding a separate cache_peer the uses SSL and
> connects on port 443, I also set up cache_peer_access rules that only
> allow each cache_peer to be used for the correct connection type.

Sounds right to me.

Regards
Henrik