Search squid archive

Re: Squid Reverse Proxy issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Eric Van Steenbergen wrote:
Hello,

I've setup successfully a Squid Reverse Proxy using the [B]How To Set
Up A Caching Reverse Proxy With Squid 2.6[/B] although with some
differences. I installed Squid 3 stable 16 on a Debian 5.0 Lenny
server. I also installed it with SSL support, created my own
self-signed wildcard certificate, LDAP authentication against our
domain and everything.

Everything is working fine, http, https, the certificate, ... but...

I have like 6 http intranet sites and 1 https intranet site. I can
successfully connect to the http sites using http://site1.domain.com
but it also accepts https://site1.domain.com. The same, reverse, is
true for the https site. I connect to https://sslsite.domain.com
accept the exception for the certificate and get connected. But also
using http://sslsite.domain.com I get connected to that site.

1. How do I have to change my configuration so that the https site is
only accessible using https connection, dropping all that try to
connect to that site using http?

Yes.  You can deny, or redirect non-secure requests for a specific domain.

2. When I use https://site1.domain.com to connect to a http site,
after authentication it changes the url to http://site1.domain.com.
Does this mean that Squid detects that the destination site is a http
site and changes the URL accordingly?

Not likely. You can perform the SSL termination on the Squid side and have a non-secure channel between Squid and the back end. More likely is the authentication method returns a non-secure URL.

If this is true would my problem be solved by only accepting https connections?

Here's my squid config. I really hope someone can help me out.
[CODE]
cache_mgr root
# Basic parameters
visible_hostname www.domain.com
auth_param basic realm Domain Security Portal

# This line indicates the server we will be proxying for
http_port 80 defaultsite=www.domain.com vhost

# And the IP Address for it - adjust the IP and port if necessary
cache_peer XXX.XXX.XXX.73 parent 80 0 no-query originserver name=site1
acl site_site1 dstdomain site1.domain.com
cache_peer_access site1 allow site_site1

cache_peer XXX.XXX.XXX.27 parent 80 0 no-query originserver name=site2
acl site_site2 dstdomain site2.domain.com
cache_peer_access site allow site_site2

cache_peer XXX.XXX.XXX.21 parent 80 0 no-query originserver name=site3
acl site_site3 dstdomain site3.domain.com
cache_peer_access site3 allow site_site3

cache_peer localhost parent 8080 0 no-query originserver name=acidbase
acl site_acidbase dstdomain acidbase.domain.com
cache_peer_access acidbase allow site_acidbase

https_port XXX.XXX.XXX.78:443 accel cert=/etc/ssl/domaincert.pem
key=/etc/ssl/domainkey.pem cafile=/etc/ssl/CA/cacert.pem
defaultsite=sslsite.domain.com vhost protocol=https
forwarded_for on

## If you want ONLY sslsite.domain.com to be accessed on the secure channel, drop the "vhost" option to https_port. ##

cache_peer XXX.XXX.XXX.84 parent 19080 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER front-end-https=on name=sslsite
acl site_sslsite dstdomain sslsite.domain.com
cache_peer_access sslsite allow site_sslsite
acl https proto https

acl apache rep_header Server ^Apache

# Where the cache files will be, memory and such
cache_dir ufs /var/spool/squid3 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 128 KB

# Log locations and format
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

access_log /var/log/squid3/access.log combined

cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
logfile_rotate 10

hosts_file /etc/hosts

# Basic ACLs
# acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443          # https
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT

auth_param basic program /lib/squid3/squid_ldap_auth -R -b
"dc=domain,dc=com" -D "cn=ldapuser,cn=Users,dc=domain,dc=com" -w
"password" -f sAMAccountName=%s -h ldapserver
auth_param basic children 5
acl ldap_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#

# Disallow non-secure connections to sslsite.domain.com
http_access deny site_sslsite !CONNECT !SSL_ports

#Disallow secure connections for any other domain
http_access deny !site_sslsite CONNECT SSL_ports

http_access allow ldap_users
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow localhost
http_access allow all

# Authenticated users are allowed to perform management functions, purge objects from the cache and connect to your Squid server on ports other than 80 and 443. Non authenticated users are not prohibited from accessing your sites (they are just prohibited from performing management functions, purging cache objects and connecting to ports 80 and 443). Anyone can use the CONNECT method on either port 80 or 443, which allows tunneling traffic past your proxy.

http_access allow all
http_reply_access allow all

icp_access allow all

cache_effective_group proxy

coredump_dir /var/spool/squid3

emulate_httpd_log on

redirect_rewrites_host_header off

buffered_logs on

# Do not cache cgi-bin, ? urls, posts, etc.
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl POST method POST
no_cache deny QUERY
no_cache deny POST
[/CODE]

Kind regards,

Eric

Chris


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux