> Amos, > See responses to your questions below. > Thanks. > > >> > I have one instance of squid is configured for forward web proxy and >> > accelerator for OWA (per the wiki). In order for users to avoid > changing >> > their proxy settings, I need the forward proxy to be able to access > OWA >> > going out and back in as follows: >> > >> > Host on internal net -> forward proxy -> accelerator -> OWA server > on >> > internal net >> > >> > It seems like this should work. When I try to access OWA from an >> > internal host, the browser hangs and the following eventually > appears in >> > access.log: >> > >> > 1233516965.141 12567 [internal host IP] TCP_MISS/000 0 CONNECT >> > owa.domain.com:443 - FIRST_UP_PARENT/[owa server IP] - >> > >> > Any ideas would be most appreciated. >> > >> > Thanks, >> > Alan >> > >> >> (Assuming you have squid-2.6 or later) > > 3.1.0.3 >> >> The basic config: >> >> You can multi-mode squid. Ensure that the reverse-proxy settings are > all >> at the top of the squid.conf and any forward-proxy settings are > following >> at the bottom. >> Also, the "http_access deny all" detailed to finish the reverse-proxy >> config gets removed so that on non-reversed requests squid can drop >> through and run the forward-proxy settings. > > Yup. That's the way it is. My complete config is posted on bug 2572. >> >> Specific to your loop-back problem: >> >> You need to adjust your reverse-proxy configuration to block the > CONNECT >> method being used to access the peers. > > Sorry, but can you elaborate on this? The "internal net -> forward proxy" step of the chain uses a CONNECT request. cache_peer BLAH deny CONNECT is needed to force "internal net -> forward proxy -> accelerator(self)" Otherwise requests like "CONNECT owa:443" will be optimized as "internal net -> accelerator -> OWA ". Even though OWA does not handle CONNECT. Blocking CONNECT to peer, forces config down to the forward-proxy config which _is_ allowed to do the looping back bit an de-tunneling the CONNECT. >> >> Then check that the domain IP Squid resolves owa.domain.com to is its > own >> listening https_port. > > It does: a.b.c.96 >> >> Amos >> >
