Search squid archive

Re: Squid 3.2, reverse proxy, deny_info http/https redirect problems.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes, my config used to have the "vhost" defined in it, however with
3.2, I found out it wasn't needed any more, so I cleared it up, in an
effort to figure out what is going on.


I guess I need to show the whole config. I'll also note I am using it
as a reverse proxy, as well as a transparent proxy for my local
network's access to the internet, with caching. I have it using
squidGuard for some things, and I used to tie in squidclamav as an
icap service, however it caused a massive performance hit on page
loading times, so I disabled it, but still have some configuration
directives in place that are for icap.

I will gladly admit that I'm not extremely proficient in how the
config file should work, I'm mostly just scouring through the
squid-cache wiki, and anything I can Google to figure out what I need.
However, there is very little I'm finding with regards to my current
problem.

Here's my config file in its entirety:
---------------------------------------------------------------------------------------------------------------

#       SQUID 3.2.0.16
#       --------------

http_port 80 accel defaultsite=darkhelm.org

https_port 443 cert=/home/darkhelm/keys/CertAuth/maincert.cert
key=/home/darkhelm/keys/CertAuth/mainkey.pem accel
defaultsite=darkhelm.org

redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

# Security ACL, force username/password login. See music below.
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED

cache_peer 10.18.75.1 parent 80 0 no-query originserver login=PASS name=xlorep
acl sites_xlorep url_regex ^https://xlorep\.darkhelm\.org
cache_peer_access xlorep allow sites_xlorep
http_access allow sites_xlorep
acl http_xlorep url_regex ^http://xlorep\.darkhelm\.org
http_access deny http_xlorep
deny_info https://xlorep.darkhelm.org http_xlorep

#8022 8081
cache_peer 127.0.0.1 parent 8022 0 no-query originserver login=PASS name=shell
acl sites_shell url_regex ^https://shell\.darkhelm\.org
cache_peer_access shell allow sites_shell
http_access allow sites_shell
acl http_shell url_regex ^http://shell\.darkhelm\.org
http_access deny http_shell
deny_info https://shell.darkhelm.org http_shell

cache_peer 10.18.75.4 parent 8000 0 no-query originserver login=PASS name=music
acl sites_music url_regex ^https://music\.darkhelm\.org
cache_peer_access music allow sites_music ncsa_users
http_access allow sites_music ncsa_users
acl http_music url_regex ^http://music\.darkhelm\.org
http_access deny http_music
deny_info https://music.darkhelm.org http_music

cache_peer 10.18.75.4 parent 8080 0 no-query originserver login=PASS name=mplay
acl sites_mplay url_regex ^https://mplay\.darkhelm\.org
cache_peer_access mplay allow sites_mplay ncsa_users
http_access allow sites_mplay ncsa_users
acl http_mplay url_regex ^http://mplay\.darkhelm\.org
http_access deny http_mplay
deny_info https://mplay.darkhelm.org/ http_mplay

cache_peer 10.18.75.4 parent 4711 0 no-query originserver login=PASS name=amw
acl sites_amw url_regex ^https://amw\.darkhelm\.org
cache_peer_access amw allow sites_amw
http_access allow sites_amw
acl http_amw url_regex ^http://amw\.darkhelm\.org
http_access deny http_amw
deny_info https://amw.darkhelm.org http_amw

cache_peer 10.18.75.4 parent 9091 0 no-query originserver login=PASS name=bt
acl sites_bt url_regex ^https://bt\.darkhelm\.org
cache_peer_access bt allow sites_bt
http_access allow sites_bt
acl http_bt url_regex ^http://bt\.darkhelm\.org
http_access deny http_bt
deny_info https://bt.darkhelm.org http_bt

# Recommended minimum configuration:
#
#acl manager proto cache_object
#acl localhost src 127.0.0.0/8 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1


# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.18.75.0/24 10.2.18.0/24
#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines


acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 intercept

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

cache_mem 64 MB
cache_replacement_policy heap LRU

# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid3 4096 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

cache_effective_group proxy
icap_enable on
icap_preview_enable on
icap_preview_size 1024
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode off
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
adaptation_access service_resp allow all

---------------------------------------------------------------------------------------------------------------

"I'm not responcabel fer my comuter's spleling errnors" - Xlorep DarkHelm
Website: http://darkhelm.org



On Wed, Mar 21, 2012 at 5:10 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> On 22.03.2012 12:20, Cliff Hill wrote:
>
> NOTE: both of these regex should never have matched in 3.1. defaultsite
> explicitly forces the URI to be "http://darkhelm.org/..."; unless you the
> vhost option is enabled. It is disabled by default on 3.1 and older.
>  3.2 uses HTTP/1.1 where vhost is enabled by default. So the regex ACL might
> start operating now as you seem to have intended them to.
>
>
>
>> However whenever I try to go there with a web browser, it just hangs,
>> and never actually gets redirected.
>>
>> Right now, I just want it to simply redirect http:// to https:// for
>> my cache_peers. Can anyone help me?
>
>
> With the above config...
>
> . The client sends traffic to Squid via port 80. Meaning client<->squid
> traffic is plain HTTP.
>
> .. Your access control and deny_info bounces the client to an "https://";
> URI.
>
> ... The client should then dutifully connect to port 443 (HTTPS).
>
> What happens then? your displayed config does not show.
>
>
> Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux