Hi,
I have two matrix app servers and a reverse proxy using squid in front of this. This all works very nicely for http traffic, how do I configure it for https traffic? Can I only put the SSL cert on the proxy server so the traffic between the app servers and the proxy server is still unencrypted and still cacheable?
Regards,
Andre
[quote]Hi,
I have two matrix app servers and a reverse proxy using squid in front of this. This all works very nicely for http traffic, how do I configure it for https traffic? Can I only put the SSL cert on the proxy server so the traffic between the app servers and the proxy server is still unencrypted and still cacheable?
Regards,
Andre[/quote]
Yes, but you need a recent version in order to do this (this has config options to set links on generated pages to be https links even if the Matrix is seeing http conenctions as the SSL is not being passed through). I think this is in 3.22.0
Although you could load the ssl cert onto the apache server too, despite it having the wrong name. Squid doesn't seem to bother checking.
I presume this is related to SSL Accelerator support, which as Justin pointed out was introduced in 3.22.0.
From the changelog:
[quote]SSL Accelerator Support
Matrix can now determine whether it is behind an SSL accelerator proxy, based on the origin IP address (whether they are being forwarded through the router), header matching (exact match on header name and value), or both. This is needed because SSL accelerators provide a standard HTTP connection with Matrix, and Matrix needs to ensure that it still sends HTTPS links regardless.
SSL accelerator support can be configured through the "Proxy Configuration" screen of System Configuration. A "Force Insecure (HTTP)" option has been added to the SSL options on the asset "Settings" screen in order to instruct Matrix to provide only HTTP links or nothing for a certain asset.[/quote]
OK, that is not what I wanted to hear (we are on 3.18.8) and don't have time to upgrade.
I have ssl on the app servers (that is the easy bit), when I directly go to a single app server it does what 3.18.8 says on the box and only secures the login page for example. But then when I use the reverse proxy proxy in front of it, I get a redirect (HTTP 302) to the https url, but then I end up with a loop.
Surely I should be able to redirect (without caching) the ssl traffic to the app server I want? I have added my squid.conf (changed the server names to protect the innocent) if this helps?
[codebox]visible_hostname webtest.domain.local
cache_effective_user squid
cache_effective_group squid
cache_dir ufs /var/spool/squid 10120 512 2048
cache_mem 5120 MB (5Gb)
logformat peertracker "%tl" %>a %tr %Ss %Sh %Hs %rm %rv %ru %<A
access_log /var/log/squid/peertracker.log peertracker
cache_access_log /var/log/squid/access.log
emulate_httpd_log yes
maximum_object_size_in_memory 1 MB
strip_query_terms off
read_ahead_gap 128 Kb
collapsed_forwarding on
refresh_stale_hit 30 seconds
retry_on_error on
acl all src 0.0.0.0/0.0.0.0
acl purgehosts src 172.16.70.146
acl PURGE method PURGE
acl POST method POST
acl QUERY urlpath_regex /cgi-bin /_edit /_admin /_nocache /__lib /__fudge /_login
acl PURGE method PURGE
acl POST method POST
no_cache deny QUERY
no_cache deny POST
http_port 172.16.70.216:80 vhost
https_port 172.16.70.216:443 cert=/etc/squid/ssl.crt/wildcard.domain.local.crt key=/etc/squid/ssl.key/wildcard.domain.local.key vhost
http_access allow PURGE purgehosts
http_access deny PURGE
http_access allow all
cache_peer 172.16.70.146 parent 80 0 originserver no-query no-digest default name=server1
cache_peer 172.16.70.146 parent 443 0 originserver no-query no-digest default ssl sslflags=DONT_VERIFY_PEER name=server1ssl
cache_peer_access server1 allow all
cache_peer_domain server1 webtest.domain.local
cache_peer_access server1ssl allow all
cache_peer_domain server1ssl webtest.domain.local
redirect_rewrites_host_header off
read_ahead_gap 128 Kb
shutdown_lifetime 5 seconds
cachemgr_passwd ${SQUID_CACHEMGR_PASS} all[/codebox]
Squid will go to the first available peer to serve the request
You need to force it to send SSL pages to the SSL peer
Here's the relevant lines from our squid.conf, which worked at least as far back as 3.16.0, and probably 3.14.x during testing too but I can't remember that far back
acl CP_HTTP proto HTTP
acl CP_HTTPS proto HTTPS
cache_peer_access dc2_64 deny !CP_HTTP
cache_peer_access dc2_64_ssl deny !CP_HTTPS
(dc2_64 and dc2_64_ssl are the peer names for our 64-bit matrix server in our "datacentre 2")
I think that's enough rules to do it. Our squid.conf is quite complicated because it takes care of a couple of non-Matrix domains running on a windows server, plus certain apps on our main www. address which are PHP4 only so we farm them off to a different server by url matching - plus we have lines in there to enable load balancing and failover too!