----- "Amos Jeffries" <squid3@xxxxxxxxxxxxx> wrote: > On 04/01/11 08:03, r.cazenave@xxxxxxx wrote: > > Dear all, > > > > I am facing an issue with Squid configuration for which hopefully > you > > will be able to help. > > > > The web server is using http only and is sending redirection (HTTP > > messages 302) towards its full URL, as in > > http://172.16.28.43:3080/site/redirect_login.do. > > > > Squid proxy (v3) is configured as reverse proxy to handle only > HTTPS > > request from clients (actually any other ports than 443 are blocked > > by in-between firewall). > > > > The proxy is working as expected and is correctly handling clients > > requests and is replacing in server redirects the IP address:port > by > > its own address and thus client receives the following: > > 302:http://mydomain.com/site/redirect_login.do. > > ?? Squid v3 is not yet capable of re-writing server redirect responses > > as you have described. The location_rewrite feature is needing a port > > from 2.x to 3.x. Do you have a patch to submit to squid-dev mailing > list? > My mistake, it is actually done by the Web server directly, not by Squid. > > > > The remaining issue for which I am seeking help is protocol, I > would > > like that http:// is translated to https:// by squid proxy. Without > > this, the client is then trying to connect to port 80 using http > > which is discarded by the firewall. I have tried redirector > programs > > but it is not working (I suppose it translates only requests from > > client). > > It sounds like a working redirector for you would be writing https:// > in > the URL instead of http://. This is easily fixed by altering whatever > > redirector you are using for Location: header re-write. > Can this be done in squid ? (I cannot modify web server) > > The best way to do redirects in reverse-proxy is with deny_info before > > the request ever gets to the server. Define a deny_info with https:// > > protocol URL and the client will get that. > > What I suggest is this at the top of your squid.conf: > > acl HTTP proto HTTP > deny_info https://mydomain.com/site/redirect_login.do HTTP > http_access deny HTTP > > > Amos Thank you Amos for your proposal. It is not completely solving the issue as it means I have to open the http port which was rejected before. The remaining problem is also that I have redirects on all my web server pages so my next question: is it possible to redirect to a specific page depending on the page requested by client ? Meaning that if client requests http://mydomain.com/site/menu.do, it is redirected to https://mydomain.com/site/menu.do ? I tried deny_info https://mydomain.com/site/%R HTTP but %R is not resolved, and client tries to connect to https://mydomain.com/site/%R
