Eric Van Steenbergen wrote:
Hello,
I've setup successfully a Squid Reverse Proxy using the [B]How To Set
Up A Caching Reverse Proxy With Squid 2.6[/B] although with some
differences. I installed Squid 3 stable 16 on a Debian 5.0 Lenny
server. I also installed it with SSL support, created my own
self-signed wildcard certificate, LDAP authentication against our
domain and everything.
Everything is working fine, http, https, the certificate, ... but...
I have like 6 http intranet sites and 1 https intranet site. I can
successfully connect to the http sites using http://site1.domain.com
but it also accepts https://site1.domain.com. The same, reverse, is
true for the https site. I connect to https://sslsite.domain.com
accept the exception for the certificate and get connected. But also
using http://sslsite.domain.com I get connected to that site.
1. How do I have to change my configuration so that the https site is
only accessible using https connection, dropping all that try to
connect to that site using http?
Yes. You can deny, or redirect non-secure requests for a specific domain.
2. When I use https://site1.domain.com to connect to a http site,
after authentication it changes the url to http://site1.domain.com.
Does this mean that Squid detects that the destination site is a http
site and changes the URL accordingly?
Not likely. You can perform the SSL termination on the Squid side and
have a non-secure channel between Squid and the back end. More likely
is the authentication method returns a non-secure URL.
If this is true would my problem be solved by only accepting https connections?
Here's my squid config. I really hope someone can help me out.
[CODE]
cache_mgr root
# Basic parameters
visible_hostname www.domain.com
auth_param basic realm Domain Security Portal
# This line indicates the server we will be proxying for
http_port 80 defaultsite=www.domain.com vhost
# And the IP Address for it - adjust the IP and port if necessary
cache_peer XXX.XXX.XXX.73 parent 80 0 no-query originserver name=site1
acl site_site1 dstdomain site1.domain.com
cache_peer_access site1 allow site_site1
cache_peer XXX.XXX.XXX.27 parent 80 0 no-query originserver name=site2
acl site_site2 dstdomain site2.domain.com
cache_peer_access site allow site_site2
cache_peer XXX.XXX.XXX.21 parent 80 0 no-query originserver name=site3
acl site_site3 dstdomain site3.domain.com
cache_peer_access site3 allow site_site3
cache_peer localhost parent 8080 0 no-query originserver name=acidbase
acl site_acidbase dstdomain acidbase.domain.com
cache_peer_access acidbase allow site_acidbase
https_port XXX.XXX.XXX.78:443 accel cert=/etc/ssl/domaincert.pem
key=/etc/ssl/domainkey.pem cafile=/etc/ssl/CA/cacert.pem
defaultsite=sslsite.domain.com vhost protocol=https
forwarded_for on
## If you want ONLY sslsite.domain.com to be accessed on the secure
channel, drop the "vhost" option to https_port. ##
cache_peer XXX.XXX.XXX.84 parent 19080 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER front-end-https=on name=sslsite
acl site_sslsite dstdomain sslsite.domain.com
cache_peer_access sslsite allow site_sslsite
acl https proto https
acl apache rep_header Server ^Apache
# Where the cache files will be, memory and such
cache_dir ufs /var/spool/squid3 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 128 KB
# Log locations and format
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid3/access.log combined
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
logfile_rotate 10
hosts_file /etc/hosts
# Basic ACLs
# acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
auth_param basic program /lib/squid3/squid_ldap_auth -R -b
"dc=domain,dc=com" -D "cn=ldapuser,cn=Users,dc=domain,dc=com" -w
"password" -f sAMAccountName=%s -h ldapserver
auth_param basic children 5
acl ldap_users proxy_auth REQUIRED
#
# Add this at the top of the http_access section of squid.conf
#
# Disallow non-secure connections to sslsite.domain.com
http_access deny site_sslsite !CONNECT !SSL_ports
#Disallow secure connections for any other domain
http_access deny !site_sslsite CONNECT SSL_ports
http_access allow ldap_users
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow localhost
http_access allow all
# Authenticated users are allowed to perform management functions, purge
objects from the cache and connect to your Squid server on ports other
than 80 and 443. Non authenticated users are not prohibited from
accessing your sites (they are just prohibited from performing
management functions, purging cache objects and connecting to ports 80
and 443). Anyone can use the CONNECT method on either port 80 or 443,
which allows tunneling traffic past your proxy.
http_access allow all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid3
emulate_httpd_log on
redirect_rewrites_host_header off
buffered_logs on
# Do not cache cgi-bin, ? urls, posts, etc.
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl POST method POST
no_cache deny QUERY
no_cache deny POST
[/CODE]
Kind regards,
Eric
Chris
