Re: forward and reverse through one system

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Amos Jeffries wrote:
> Alan Lehman wrote:
> > > > > > Specific to your loop-back problem:
> > > > > >
> > > > > > You need to adjust your reverse-proxy configuration to block the
> > > > > CONNECT
> > > > > > method being used to access the peers.
> > > > > Sorry, but can you elaborate on this?
> > > >
> > > > The "internal net -> forward proxy" step of the chain uses a CONNECT
> > > > request.
> > > >
> > > >   cache_peer BLAH deny CONNECT
> > > >
> > > > is needed to force "internal net -> forward proxy ->
> > > accelerator(self)"
> > > > Otherwise requests like "CONNECT owa:443" will be optimized as
> > > > "internal
> > > > net -> accelerator -> OWA ". Even though OWA does not handle CONNECT.
> > > >
> > > > Blocking CONNECT to peer, forces config down to the forward-proxy
> > > > config
> > > > which _is_ allowed to do the looping back bit an de-tunneling the
> > > > CONNECT.
> > > As far as I can see, cache_peer doesn't allow a deny parameter, so I
> > > tried the following and get "the requested URL cannot be retried". At
> > > least it's not just hanging:
> > >
> > > cache_peer blah
> > >
> > > acl OWA dstdomain owa.domain.com
> > > http_access allow OWA
> > > miss_access allow OWA
> > > acl CONNECT method CONNECT
> > > cache_peer_access owa-server deny CONNECT
> > > cache_peer_access owa-server allow OWA
> > > never_direct allow OWA
> > >
> > > [normal forward proxy config below]
> > >
> > > Thanks,
> > > Alan
> >
> > With the configuration above, the logs look like this:
> > access.log:
> > 1235235368.181      0 172.16.7.203 TCP_MISS/503 0 CONNECT 
> > owa.domain.com:443 - NONE/- -
> > 1235235368.428    163 172.16.7.203 TCP_MISS/304 326 GET 
> > http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 -
> >
> > cache.log:
> > -----END SSL SESSION PARAMETERS-----
> > 2009/02/21 10:56:59| Failed to select source for '[null_entry]'
> > 2009/02/21 10:56:59|   always_direct = 0
> > 2009/02/21 10:56:59|    never_direct = 1
> > 2009/02/21 10:56:59|        timedout = 0
> >
> > '[null_entry]' is curious. Shouldn't that be URL for OWA?
> >
> > Playing with this same configuration, if I authenticate to OWA first 
> > via another proxy, then switch to this one, it will keep working until 
> > I restart the browser.
> >
> > Is there some other way to accomplish deny CONNECT?
>
> Drop the "never_direct" entry. It's cutting the loopback from happening.

No forget that.  Add !CONNECT to it instead.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5