On 11/01/11 02:59, r.cazenave@xxxxxxx wrote:
----- "Amos Jeffries"<squid3@xxxxxxxxxxxxx> wrote:
On 04/01/11 08:03, r.cazenave@xxxxxxx wrote:
Dear all,
I am facing an issue with Squid configuration for which hopefully
you
will be able to help.
The web server is using http only and is sending redirection (HTTP
messages 302) towards its full URL, as in
http://172.16.28.43:3080/site/redirect_login.do.
Squid proxy (v3) is configured as reverse proxy to handle only
HTTPS
request from clients (actually any other ports than 443 are blocked
by in-between firewall).
The proxy is working as expected and is correctly handling clients
requests and is replacing in server redirects the IP address:port
by
its own address and thus client receives the following:
302:http://mydomain.com/site/redirect_login.do.
?? Squid v3 is not yet capable of re-writing server redirect responses
as you have described. The location_rewrite feature is needing a port
from 2.x to 3.x. Do you have a patch to submit to squid-dev mailing
list?
My mistake, it is actually done by the Web server directly, not by Squid.
The remaining issue for which I am seeking help is protocol, I
would
like that http:// is translated to https:// by squid proxy. Without
this, the client is then trying to connect to port 80 using http
which is discarded by the firewall. I have tried redirector
programs
but it is not working (I suppose it translates only requests from
client).
It sounds like a working redirector for you would be writing https://
in
the URL instead of http://. This is easily fixed by altering whatever
redirector you are using for Location: header re-write.
Can this be done in squid ? (I cannot modify web server)
The best way to do redirects in reverse-proxy is with deny_info before
the request ever gets to the server. Define a deny_info with https://
protocol URL and the client will get that.
What I suggest is this at the top of your squid.conf:
acl HTTP proto HTTP
deny_info https://mydomain.com/site/redirect_login.do HTTP
http_access deny HTTP
Amos
Thank you Amos for your proposal. It is not completely solving the issue as it
means I have to open the http port which was rejected before.
So where is the HTTP inbound requests coming from if not from the HTTP port?
NP: "proto" ACL tests the http:// part of URL texts. The request can
actually arrive in any port.
The remaining problem is also that I have redirects on all my web server pages
so my next question: is it possible to redirect to a specific page depending on
the page requested by client ? Meaning that if client requests
http://mydomain.com/site/menu.do, it is redirected to
https://mydomain.com/site/menu.do ?
I tried deny_info https://mydomain.com/site/%R HTTP but %R is not resolved, and
client tries to connect to https://mydomain.com/site/%R
Yes ... but. To do the macro-based URLs requires squid-3.2 beta software.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.10
Beta testers wanted for 3.2.0.4
