V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
NGINX
NGINX Trac
3rd Party Modules
Security Advisories
CHANGES
OpenResty
ngx_lua
Tengine
在线学习资源
NGINX 开发从入门到精通
NGINX Modules
ngx_echo
pew
V2EX  ›  NGINX

Squid 反向代理 https 到 nginx,在源站上设置 301 跳转不生效

  •  
  •   pew · 2017-06-23 11:37:22 +08:00 · 4907 次点击
    这是一个创建于 2709 天前的主题,其中的信息可能已经有所发展或是发生改变。
    Squid 设置如下
    https_port 443 cert=/etc/squid/ssl/123.pem key=/etc/squid/ssl/123.key accel defaultsite=www.aaa.com
    ssl_unclean_shutdown on
    cache_peer 1.2.3.4 parent 443 0 no-query no-digest originserver name=web01 login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=on
    acl sites_server_1 dstdomain .aaa.com
    cache_peer_access web01 allow sites_server_1
    http_access allow web01

    然后源站( 1.2.3.4 )配置了 ssl,并且设置了 http 301 跳转到 https
    listen 80;
    server_name www.aaa.com aaa.com ;
    add_header Strict-Transport-Security max-age=15768000;
    return 301 https://www.aaa.com$request_uri;

    但是现在结果是输入 www.aaa.com 访问的是 http://www.aaa.com 未进行跳转
    直接 https://www.aaa.com 是可以访问的

    有没有对 squid 比较了解的大阔,给点建议,在此不胜感激。
    7 条回复    2017-06-23 15:38:35 +08:00
    coolloves
        1
    coolloves  
       2017-06-23 11:56:57 +08:00
    cache_peer 1.2.3.4 parent 443 0 no-query no-digest originserver name=web01 login=PASS ssl
    改成
    cache_peer 1.2.3.4 parent 80 0
    试试?
    pew
        2
    pew  
    OP
       2017-06-23 12:04:52 +08:00
    @coolloves
    貌似不行,改了直接无法访问了
    The system returned:

    (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
    Handshake with SSL server failed: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

    此代理和远端主机无法为处理您的请求在相互可接受的安全设置上协商一致。有可能远端计算机不支持安全连接,或者代理对主机的安全凭据不认可。
    coolloves
        3
    coolloves  
       2017-06-23 12:17:41 +08:00   ❤️ 1
    我觉得有问题,缓存点改了,只是对源站 80 访问获取文件,你直接不能访问了,是什么情况
    看错误,貌似还是 ssl 方式,能贴全配置看看不?
    pew
        4
    pew  
    OP
       2017-06-23 13:39:41 +08:00
    @coolloves 改成 80 的话就是下面这样
    # Recommended minimum configuration:
    #

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    #
    # Recommended minimum Access Permission configuration:
    #
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports

    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager

    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost

    # And finally deny all other access to this proxy
    # http_access allow all

    # Squid normally listens to port 3128
    visible_hostname localhost

    # http_port 3128

    http_port 80 accel vhost vport
    https_port 443 cert=/etc/squid/ssl/123.pem key=/etc/squid/ssl/123.key accel defaultsite=www.aaa.com
    ssl_unclean_shutdown on
    cache_peer 1.2.3.4 parent 80 0 no-query no-digest originserver name=web01 login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=on
    acl sites_server_1 dstdomain .aaa.com
    cache_peer_access web01 allow sites_server_1
    http_access allow web01

    # Uncomment and adjust the following to add a disk cache directory.
    cache_dir ufs /var/spool/squid 10000 32 512




    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid

    #
    # Add any of your own refresh_pattern entries above these.
    #
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    pew
        5
    pew  
    OP
       2017-06-23 13:53:56 +08:00
    @coolloves cache_peer 1.2.3.4 parent 80 0 no-query originserver login=PASS name=web01
    这样改,无法打开网页,提示重定向次数过多--
    coolloves
        6
    coolloves  
       2017-06-23 14:44:44 +08:00
    现在提示重定向过多,可能需要看看 nginx 的问题???
    pew
        7
    pew  
    OP
       2017-06-23 15:38:35 +08:00
    @coolloves nginx 就加了个 301
    nginx listen 80;
    server_name www.aaa.com aaa.com ;
    add_header Strict-Transport-Security max-age=15768000;
    return 301 https://www.aaa.com$request_uri;
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2384 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 15:50 · PVG 23:50 · LAX 07:50 · JFK 10:50
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.