> Amos Jeffries wrote: > > Alan Lehman wrote: > >>>>>> Specific to your loop-back problem: > >>>>>> > >>>>>> You need to adjust your reverse-proxy configuration to block the > >>>>> CONNECT > >>>>>> method being used to access the peers. > >>>>> Sorry, but can you elaborate on this? > >>>> > >>>> The "internal net -> forward proxy" step of the chain uses a > CONNECT > >>>> request. > >>>> > >>>> cache_peer BLAH deny CONNECT > >>>> > >>>> is needed to force "internal net -> forward proxy -> > >>> accelerator(self)" > >>>> Otherwise requests like "CONNECT owa:443" will be optimized as > >>>> "internal > >>>> net -> accelerator -> OWA ". Even though OWA does not handle > CONNECT. > >>>> > >>>> Blocking CONNECT to peer, forces config down to the forward-proxy > >>>> config > >>>> which _is_ allowed to do the looping back bit an de-tunneling the > >>>> CONNECT. > >>>> > >>> As far as I can see, cache_peer doesn't allow a deny parameter, so > I > >>> tried the following and get "the requested URL cannot be retried". > At > >>> least it's not just hanging: > >>> > >>> cache_peer blah > >>> > >>> acl OWA dstdomain owa.domain.com > >>> http_access allow OWA > >>> miss_access allow OWA > >>> acl CONNECT method CONNECT > >>> cache_peer_access owa-server deny CONNECT > >>> cache_peer_access owa-server allow OWA > >>> never_direct allow OWA > >>> > >>> [normal forward proxy config below] > >>> > >>> Thanks, > >>> Alan > >> > >> With the configuration above, the logs look like this: > >> access.log: > >> 1235235368.181 0 172.16.7.203 TCP_MISS/503 0 CONNECT > >> owa.domain.com:443 - NONE/- - > >> 1235235368.428 163 172.16.7.203 TCP_MISS/304 326 GET > >> http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 - > >> > >> cache.log: > >> -----END SSL SESSION PARAMETERS----- > >> 2009/02/21 10:56:59| Failed to select source for '[null_entry]' > >> 2009/02/21 10:56:59| always_direct = 0 > >> 2009/02/21 10:56:59| never_direct = 1 > >> 2009/02/21 10:56:59| timedout = 0 > >> > >> '[null_entry]' is curious. Shouldn't that be URL for OWA? > >> > >> Playing with this same configuration, if I authenticate to OWA first > >> via another proxy, then switch to this one, it will keep working > until > >> I restart the browser. > >> > >> Is there some other way to accomplish deny CONNECT? > > > > Drop the "never_direct" entry. It's cutting the loopback from > happening. > > No forget that. Add !CONNECT to it instead. > Perfect. Thank you! The apparently-working 3.1.0.5 configuration now looks like this: #OWA config https_port blah connection-auth=off cache_peer blah name=owa-server acl OWA dstdomain owa.domain.com http_access allow OWA miss_access allow OWA cache_peer_access owa-server allow OWA cache_peer_access owa-server deny all acl CONNECT method CONNECT never_direct allow OWA !CONNECT #RPC over https config https_port blah cache_peer blah name=rpc-server acl RPC dstdomain rpc.domain.com http_access allow RPC miss_access allow RPC cache_peer_access rpc-server allow RPC never_direct allow RPC [normal forward proxy config below] CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
