Thanks for your reply. So is it possible to have Squid send a 302 redirect back to the client, replacing the http with https, instead of the webserver, but only for certain URL/Website? Other sites should remain HTTP. -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Freitag, 13. August 2010 16:01 To: squid-users@xxxxxxxxxxxxxxx Subject: Re: FW: X_FORWARDED_PROTO Support? Visser, Peter (ZGM) wrote: > Hi, > > I am using Squid as a reverse proxy/SSL gateway. Clients can connect with HTTP and HTTPS. All internal connections to the webserver use HTTP. This way the proxy acts as a SSL off loader. > > Now an application I use, Roundcube webmail, which has the option of redirecting to HTTPS when using HTTP. But since all connection to webserver all always HTTP the application gets stuck in a loop. Since it will try to redirect and the proxy will undo the redirect. > As you say it's an option, one you need to turn off in order to meet your desire of all squid->server traffic be HTTP-only. Your Squid has the authoritative info about whether the request was received over HTTP or HTTPS. Let it send the 302/303 redirect as it should be. > I found out that one way to solve this would be to use the x-forwarded-proto field so that the web application can recognize if the client is using SSL or not. > Ah, a custom header. One that makes all sorts of claims about the network security situation. Claims which can't be verified. ie how do you know it was *your* proxy which added it? and which step of a multi-hop path across the Internet was the HTTPS one? Theres a nice thread in the Tomcat developers discussing what to do about multiple copies, miss-spellings, and the several alternative names being used. Seems they even have real-life cases of whole sequential strings of the header being received by web servers. And some nginx admin(s) going around blaming Squid for this mess. > Is there a way to get Squid to send this option (besides x-forwarded-for) to the web server? I search on the web but no luck so far. > Squid handles it like all unknown non-standard headers: Pass straight through. The security implications of allowing this to be trusted are dodgy to say the least. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
