> > >> Specific to your loop-back problem: > > >> > > >> You need to adjust your reverse-proxy configuration to block the > > > CONNECT > > >> method being used to access the peers. > > > > > > Sorry, but can you elaborate on this? > > > > > > The "internal net -> forward proxy" step of the chain uses a CONNECT > > request. > > > > cache_peer BLAH deny CONNECT > > > > is needed to force "internal net -> forward proxy -> > accelerator(self)" > > > > Otherwise requests like "CONNECT owa:443" will be optimized as > > "internal > > net -> accelerator -> OWA ". Even though OWA does not handle CONNECT. > > > > Blocking CONNECT to peer, forces config down to the forward-proxy > > config > > which _is_ allowed to do the looping back bit an de-tunneling the > > CONNECT. > > > > As far as I can see, cache_peer doesn't allow a deny parameter, so I > tried the following and get "the requested URL cannot be retried". At > least it's not just hanging: > > cache_peer blah > > acl OWA dstdomain owa.domain.com > http_access allow OWA > miss_access allow OWA > acl CONNECT method CONNECT > cache_peer_access owa-server deny CONNECT > cache_peer_access owa-server allow OWA > never_direct allow OWA > > [normal forward proxy config below] > > Thanks, > Alan With the configuration above, the logs look like this: access.log: 1235235368.181 0 172.16.7.203 TCP_MISS/503 0 CONNECT owa.domain.com:443 - NONE/- - 1235235368.428 163 172.16.7.203 TCP_MISS/304 326 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 - cache.log: -----END SSL SESSION PARAMETERS----- 2009/02/21 10:56:59| Failed to select source for '[null_entry]' 2009/02/21 10:56:59| always_direct = 0 2009/02/21 10:56:59| never_direct = 1 2009/02/21 10:56:59| timedout = 0 '[null_entry]' is curious. Shouldn't that be URL for OWA? Playing with this same configuration, if I authenticate to OWA first via another proxy, then switch to this one, it will keep working until I restart the browser. Is there some other way to accomplish deny CONNECT? Thanks, Alan CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
