Search squid archive

Re: Squid 3.2, reverse proxy, deny_info http/https redirect problems.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 23/03/2012 4:30 a.m., Cliff Hill wrote:

Yes, my config used to have the "vhost" defined in it, however with
3.2, I found out it wasn't needed any more, so I cleared it up, in an
effort to figure out what is going on.


Okay that makes sense.



I guess I need to show the whole config. I'll also note I am using it
as a reverse proxy, as well as a transparent proxy for my local
network's access to the internet, with caching. I have it using
squidGuard for some things, and I used to tie in squidclamav as an
icap service, however it caused a massive performance hit on page
loading times, so I disabled it, but still have some configuration
directives in place that are for icap.
Is it the reverse-proxy or intercepted traffic which is hanging on https:// ? 

I can't see anything obvious in the config which would cause that.
It might be related to what squidguard is doing, or to SSL negotiation issues, or even packet delivery issues. 



I will gladly admit that I'm not extremely proficient in how the
config file should work, I'm mostly just scouring through the
squid-cache wiki, and anything I can Google to figure out what I need.
However, there is very little I'm finding with regards to my current
problem.

Here's my config file in its entirety:
---------------------------------------------------------------------------------------------------------------

#       SQUID 3.2.0.16
#       --------------

http_port 80 accel defaultsite=darkhelm.org

https_port 443 cert=/home/darkhelm/keys/CertAuth/maincert.cert
key=/home/darkhelm/keys/CertAuth/mainkey.pem accel
defaultsite=darkhelm.org

redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

# Security ACL, force username/password login. See music below.
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED


Small trick specific to 3.2 which you can add right after the auth:

  acl HTTPS proto HTTPS
  acl requireHTTPS dstdomain .darkhelm.org
  http_access deny !HTTPS requireHTTPS
  deny_info 307:https://%H%R requireHTTPS
That takes care of all the http->https redirection in one quick check regardless of what URL was requested.
You can then drop the regex and simplify down to the more normal dstdomain ACLs in your reverse-proxy config. 


Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux