Eric Van Steenbergen wrote:
Hello, I've setup successfully a Squid Reverse Proxy using the [B]How To Set Up A Caching Reverse Proxy With Squid 2.6[/B] although with some differences. I installed Squid 3 stable 16 on a Debian 5.0 Lenny server. I also installed it with SSL support, created my own self-signed wildcard certificate, LDAP authentication against our domain and everything. Everything is working fine, http, https, the certificate, ... but... I have like 6 http intranet sites and 1 https intranet site. I can successfully connect to the http sites using http://site1.domain.com but it also accepts https://site1.domain.com. The same, reverse, is true for the https site. I connect to https://sslsite.domain.com accept the exception for the certificate and get connected. But also using http://sslsite.domain.com I get connected to that site. 1. How do I have to change my configuration so that the https site is only accessible using https connection, dropping all that try to connect to that site using http?
Yes. You can deny, or redirect non-secure requests for a specific domain.
2. When I use https://site1.domain.com to connect to a http site, after authentication it changes the url to http://site1.domain.com. Does this mean that Squid detects that the destination site is a http site and changes the URL accordingly?
Not likely. You can perform the SSL termination on the Squid side and have a non-secure channel between Squid and the back end. More likely is the authentication method returns a non-secure URL.
If this is true would my problem be solved by only accepting https connections? Here's my squid config. I really hope someone can help me out. [CODE] cache_mgr root # Basic parameters visible_hostname www.domain.com auth_param basic realm Domain Security Portal # This line indicates the server we will be proxying for http_port 80 defaultsite=www.domain.com vhost # And the IP Address for it - adjust the IP and port if necessary cache_peer XXX.XXX.XXX.73 parent 80 0 no-query originserver name=site1 acl site_site1 dstdomain site1.domain.com cache_peer_access site1 allow site_site1 cache_peer XXX.XXX.XXX.27 parent 80 0 no-query originserver name=site2 acl site_site2 dstdomain site2.domain.com cache_peer_access site allow site_site2 cache_peer XXX.XXX.XXX.21 parent 80 0 no-query originserver name=site3 acl site_site3 dstdomain site3.domain.com cache_peer_access site3 allow site_site3 cache_peer localhost parent 8080 0 no-query originserver name=acidbase acl site_acidbase dstdomain acidbase.domain.com cache_peer_access acidbase allow site_acidbase https_port XXX.XXX.XXX.78:443 accel cert=/etc/ssl/domaincert.pem key=/etc/ssl/domainkey.pem cafile=/etc/ssl/CA/cacert.pem defaultsite=sslsite.domain.com vhost protocol=https forwarded_for on
## If you want ONLY sslsite.domain.com to be accessed on the secure channel, drop the "vhost" option to https_port. ##
cache_peer XXX.XXX.XXX.84 parent 19080 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=sslsite acl site_sslsite dstdomain sslsite.domain.com cache_peer_access sslsite allow site_sslsite acl https proto https acl apache rep_header Server ^Apache # Where the cache files will be, memory and such cache_dir ufs /var/spool/squid3 10000 16 256 cache_mem 256 MB maximum_object_size_in_memory 128 KB # Log locations and format #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid3/access.log combined cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid3/store.log logfile_rotate 10 hosts_file /etc/hosts # Basic ACLs # acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 # https acl Safe_ports port 80 acl Safe_ports port 443 acl purge method PURGE acl CONNECT method CONNECT auth_param basic program /lib/squid3/squid_ldap_auth -R -b "dc=domain,dc=com" -D "cn=ldapuser,cn=Users,dc=domain,dc=com" -w "password" -f sAMAccountName=%s -h ldapserver auth_param basic children 5 acl ldap_users proxy_auth REQUIRED # # Add this at the top of the http_access section of squid.conf #
# Disallow non-secure connections to sslsite.domain.com http_access deny site_sslsite !CONNECT !SSL_ports #Disallow secure connections for any other domain http_access deny !site_sslsite CONNECT SSL_ports
http_access allow ldap_users http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access allow localhost http_access allow all
# Authenticated users are allowed to perform management functions, purge objects from the cache and connect to your Squid server on ports other than 80 and 443. Non authenticated users are not prohibited from accessing your sites (they are just prohibited from performing management functions, purging cache objects and connecting to ports 80 and 443). Anyone can use the CONNECT method on either port 80 or 443, which allows tunneling traffic past your proxy.
http_access allow all http_reply_access allow all icp_access allow all cache_effective_group proxy coredump_dir /var/spool/squid3 emulate_httpd_log on redirect_rewrites_host_header off buffered_logs on # Do not cache cgi-bin, ? urls, posts, etc. hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? acl POST method POST no_cache deny QUERY no_cache deny POST [/CODE] Kind regards, Eric
Chris