On 11/01/11 20:03, r.cazenave@xxxxxxx wrote:
----- "Amos Jeffries"<squid3@xxxxxxxxxxxxx> a Ãcrit :
On 11/01/11 02:59, r.cazenave@xxxxxxx wrote:
----- "Amos Jeffries"<squid3@xxxxxxxxxxxxx> wrote:
On 04/01/11 08:03, r.cazenave@xxxxxxx wrote:
Dear all,
I am facing an issue with Squid configuration for which hopefully
you
will be able to help.
The web server is using http only and is sending redirection
(HTTP
messages 302) towards its full URL, as in
http://172.16.28.43:3080/site/redirect_login.do.
Squid proxy (v3) is configured as reverse proxy to handle only
HTTPS
request from clients (actually any other ports than 443 are
blocked
by in-between firewall).
The proxy is working as expected and is correctly handling
clients
requests and is replacing in server redirects the IP address:port
by
its own address and thus client receives the following:
302:http://mydomain.com/site/redirect_login.do.
?? Squid v3 is not yet capable of re-writing server redirect
responses
as you have described. The location_rewrite feature is needing a
port
from 2.x to 3.x. Do you have a patch to submit to squid-dev
mailing
list?
My mistake, it is actually done by the Web server directly, not by
Squid.
The remaining issue for which I am seeking help is protocol, I
would
like that http:// is translated to https:// by squid proxy.
Without
this, the client is then trying to connect to port 80 using http
which is discarded by the firewall. I have tried redirector
programs
but it is not working (I suppose it translates only requests from
client).
It sounds like a working redirector for you would be writing
https://
in
the URL instead of http://. This is easily fixed by altering
whatever
redirector you are using for Location: header re-write.
Can this be done in squid ? (I cannot modify web server)
The best way to do redirects in reverse-proxy is with deny_info
before
the request ever gets to the server. Define a deny_info with
https://
protocol URL and the client will get that.
What I suggest is this at the top of your squid.conf:
acl HTTP proto HTTP
deny_info https://mydomain.com/site/redirect_login.do HTTP
http_access deny HTTP
Amos
Thank you Amos for your proposal. It is not completely solving the
issue as it
means I have to open the http port which was rejected before.
So where is the HTTP inbound requests coming from if not from the HTTP
port?
NP: "proto" ACL tests the http:// part of URL texts. The request can
actually arrive in any port.
The problem is that when sending a GET on for instance https://mydomain.com/site/redirect_login.do, the server reply a 302:http://mydomain.com/site/redirect_files.do
It is this reply from the server that I would like to modify so that client never tries to connect to http://...
Ah, I got you all backwards.
What you need is the location_rewrite feature. Which is only in 2.7 so far.
The deny_info way might work when applied to http_reply_access. I've not
tried it though to see.
In Squid-3 this would be done with an ICAP service or eCAP plugin which
alters the Location: header as it passes through.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.10
Beta testers wanted for 3.2.0.4
