On 8/10/2013 3:01 a.m., IggyDolby wrote:
Hi I'm a Squid newbie and need to configure Squid to proxy HTTP and HTTPS
(Tunnel) requests from external users on Browsers and iPads and resolve to
an IP address were the DNS has not been switched yet.
We can manually change the iPads proxy configuration to point to this proxy.
The site has a Browser popup authentication on the first redirect from HTTP
to HTTPS.
I never see the browser popup....
I am able to configure Squid properly I believe for HTTP proxy
But when I request and HTTPS page I get this error:
1381116961.902 0 xxx.xxx.xx NONE/400 3841 CONNECT
error:method-not-allowed - NONE/- text/html
On an HTTP request I actually get the page:
1381116975.786 60 xxx.xxx.xx TCP_MISS/200 551 GET
http://m.xxxxxxx.com/healthcheck/healthcheck.html - FIRST_UP_PARENT/myAccel
text/html
This is my squid.conf
<snip>
acl our_sites dstdomain m.xxxxx.com
http_access allow our_sites
cache_peer xx.xx.xx.xx parent 80 0 no-query originserver name=myAccel
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 80 defaultsite=m.xxxxx.com
The defaultsite= parameter implies "accel" mode (reverse-proxy). CONNECT
is a HTTP method reserved for use between a client and a proxy. It is
not permitted to be used directly on origin servers or reverse-proxy.
Thus the 400.
If I am understanding your requirements description properly what you
need can be served by the default Squid configuration with a cache_peer.
So:
* change http_port back to 3128 and remove the defaultsite= option.
* configure your browser and clients to use port 3128 instead of port 80
for the proxy.
Your test should start working with just those changes.
Regarding the never_direct rule and "our_sites" ACL. You may or may not
want to use them. This is what they will do for your:
* "never_direct allow all" will force all traffic through this proxy to
use the cache_peer.
* the http_access and cache_peer_access use of our_sites restricts
acceptible traffic to only the domains listed in our_sites. Any other
requests will get rejected with a CANNOT_FORWARD error.
Amos
