----- "Amos Jeffries" <squid3@xxxxxxxxxxxxx> a Ãcrit : > On 11/01/11 02:59, r.cazenave@xxxxxxx wrote: > > > > ----- "Amos Jeffries"<squid3@xxxxxxxxxxxxx> wrote: > > > >> On 04/01/11 08:03, r.cazenave@xxxxxxx wrote: > >>> Dear all, > >>> > >>> I am facing an issue with Squid configuration for which hopefully > >> you > >>> will be able to help. > >>> > >>> The web server is using http only and is sending redirection > (HTTP > >>> messages 302) towards its full URL, as in > >>> http://172.16.28.43:3080/site/redirect_login.do. > >>> > >>> Squid proxy (v3) is configured as reverse proxy to handle only > >> HTTPS > >>> request from clients (actually any other ports than 443 are > blocked > >>> by in-between firewall). > >>> > >>> The proxy is working as expected and is correctly handling > clients > >>> requests and is replacing in server redirects the IP address:port > >> by > >>> its own address and thus client receives the following: > >>> 302:http://mydomain.com/site/redirect_login.do. > >> > >> ?? Squid v3 is not yet capable of re-writing server redirect > responses > >> > >> as you have described. The location_rewrite feature is needing a > port > >> > >> from 2.x to 3.x. Do you have a patch to submit to squid-dev > mailing > >> list? > >> > > My mistake, it is actually done by the Web server directly, not by > Squid. > > > >>> > >>> The remaining issue for which I am seeking help is protocol, I > >> would > >>> like that http:// is translated to https:// by squid proxy. > Without > >>> this, the client is then trying to connect to port 80 using http > >>> which is discarded by the firewall. I have tried redirector > >> programs > >>> but it is not working (I suppose it translates only requests from > >>> client). > >> > >> It sounds like a working redirector for you would be writing > https:// > >> in > >> the URL instead of http://. This is easily fixed by altering > whatever > >> > >> redirector you are using for Location: header re-write. > >> > > Can this be done in squid ? (I cannot modify web server) > >> > >> The best way to do redirects in reverse-proxy is with deny_info > before > >> > >> the request ever gets to the server. Define a deny_info with > https:// > >> > >> protocol URL and the client will get that. > >> > >> What I suggest is this at the top of your squid.conf: > >> > >> acl HTTP proto HTTP > >> deny_info https://mydomain.com/site/redirect_login.do HTTP > >> http_access deny HTTP > >> > >> > >> Amos > > > > Thank you Amos for your proposal. It is not completely solving the > issue as it > > means I have to open the http port which was rejected before. > > So where is the HTTP inbound requests coming from if not from the HTTP > port? > > NP: "proto" ACL tests the http:// part of URL texts. The request can > actually arrive in any port. > The problem is that when sending a GET on for instance https://mydomain.com/site/redirect_login.do, the server reply a 302:http://mydomain.com/site/redirect_files.do It is this reply from the server that I would like to modify so that client never tries to connect to http://... > > The remaining problem is also that I have redirects on all my web > server pages > > so my next question: is it possible to redirect to a specific page > depending on > > the page requested by client ? Meaning that if client requests > > http://mydomain.com/site/menu.do, it is redirected to > > https://mydomain.com/site/menu.do ? > > I tried deny_info https://mydomain.com/site/%R HTTP but %R is not > resolved, and > > client tries to connect to https://mydomain.com/site/%R > > Yes ... but. To do the macro-based URLs requires squid-3.2 beta > software. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.10 > Beta testers wanted for 3.2.0.4 Alright then I will have to wait for 3.2 stable release. Remi
