Search squid archive

Re: Squid 3.2, reverse proxy, deny_info http/https redirect problems.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I tried that, and it didn't work, in fact, it crippled my home LAN's
WWW access entirely. I'm just going to revert back to 3.1, and deal
with not having the URL manipulation.

"I'm not responcabel fer my comuter's spleling errnors" - Xlorep DarkHelm
Website: http://darkhelm.org


On Thu, Mar 22, 2012 at 7:59 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
>
> On 23/03/2012 4:30 a.m., Cliff Hill wrote:
>>
>> Yes, my config used to have the "vhost" defined in it, however with
>> 3.2, I found out it wasn't needed any more, so I cleared it up, in an
>> effort to figure out what is going on.
>
>
> Okay that makes sense.
>
>
>>
>> I guess I need to show the whole config. I'll also note I am using it
>> as a reverse proxy, as well as a transparent proxy for my local
>> network's access to the internet, with caching. I have it using
>> squidGuard for some things, and I used to tie in squidclamav as an
>> icap service, however it caused a massive performance hit on page
>> loading times, so I disabled it, but still have some configuration
>> directives in place that are for icap.
>
>
> Is it the reverse-proxy or intercepted traffic which is hanging on https:// ?
>
> I can't see anything obvious in the config which would cause that.
>
> It might be related to what squidguard is doing, or to SSL negotiation issues, or even packet delivery issues.
>
>
>>
>> I will gladly admit that I'm not extremely proficient in how the
>> config file should work, I'm mostly just scouring through the
>> squid-cache wiki, and anything I can Google to figure out what I need.
>> However, there is very little I'm finding with regards to my current
>> problem.
>>
>> Here's my config file in its entirety:
>> ---------------------------------------------------------------------------------------------------------------
>>
>> #       SQUID 3.2.0.16
>> #       --------------
>>
>> http_port 80 accel defaultsite=darkhelm.org
>>
>> https_port 443 cert=/home/darkhelm/keys/CertAuth/maincert.cert
>> key=/home/darkhelm/keys/CertAuth/mainkey.pem accel
>> defaultsite=darkhelm.org
>>
>> redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
>>
>> # Security ACL, force username/password login. See music below.
>> auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>> acl ncsa_users proxy_auth REQUIRED
>
>
> Small trick specific to 3.2 which you can add right after the auth:
>
>  acl HTTPS proto HTTPS
>  acl requireHTTPS dstdomain .darkhelm.org
>  http_access deny !HTTPS requireHTTPS
>  deny_info 307:https://%H%R requireHTTPS
>
> That takes care of all the http->https redirection in one quick check regardless of what URL was requested.
>
> You can then drop the regex and simplify down to the more normal dstdomain ACLs in your reverse-proxy config.
>
>
> Amos
>
>



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux