Search squid archive

Re: Struggling to get https reverse proxy to work - no object data received

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Apologies, this does actually seem to work perfectly fine for a
"normal" site, but does not like CDN hosted sites - I am cool with
that.

Last question though - how do I stop host headers from being
forwarded? Should I set act_as_origin? Or use defaultsite?

Thanks!

On Wed, May 14, 2014 at 6:27 PM, Nico Snyman <snyman.nico@xxxxxxxxx> wrote:
> Apologies, this does actually seem to work perfectly fine for a "normal"
> site, but does not like CDN hosted sites - I am cool with that.
>
> Last question though - how do I stop host headers from being forwarded?
> Should I set act_as_origin? Or use defaultsite?
>
> Thanks!
> Nico
>
>
> On Wed, May 14, 2014 at 5:44 PM, Nico Snyman <snyman.nico@xxxxxxxxx> wrote:
>> Hi Amos,
>>
>> (apologies for being very verbose - hoping that my poor efforts can
>> help someone else once it ends up in the archives)
>>
>> To make sure not to muddle things up - I have removed the https bits for
>> now.
>>
>> Also to make clear what is what, I have done the following (using fake
>> "outside" domain localhost.com)
>>
>> 1. added localhost.com pointing to loopback in hosts on the squid host
>> 2. added localhost.com in hosts of the connecting PC (browser PC),
>> pointing to squid host
>>
>> I have then adjusted my squid.conf to read as follows:
>>
>> ...
>> http_port 80 accel defaultsite=localhost.com
>> cache_peer google.com parent 80 0 no-query no-digest originserver
>> name=myAccel1
>> acl our_sites dstdomain localhost.com
>> http_access allow our_sites
>> cache_peer_access myAccel1 allow our_sites
>> ...
>>
>> Browser connects to localhost.com:80, and Squid fetches data from
>> google.com and present is as if it was content from localhost.com -
>> and this works perfectly as expected.
>>
>> Now, if I want to do the same, but use SSL. My squid.conf now looks like
>> this:
>>
>> ...
>> https_port 443 accel cert=/etc/squid3/squid.crt
>> key=/etc/squid3/squid.key defaultsite=localhost.com
>> cache_peer google.com parent 443 0 no-query no-digest originserver ssl
>> sslflags=DONT_VERIFY_PEER name=myAccel
>> acl our_sites dstdomain localhost.com
>>
>> http_access allow our_sites
>> cache_peer_access myAccel allow our_site
>> ...
>>
>> This does not work, I get in access.log:
>> 127.0.0.1 TCP_MISS_ABORTED/000 0 GET https://localhost.com/ -
>> FIRSTUP_PARENT/xxx.xxx.xxx.xxx -
>>
>> (Note the xxx above are substitudes for a real IP, I am not *actually*
>> using google.com)
>>
>> I think I am missing something rather obvious here - and I think it
>> might have something to do with the parent cert?
>>
>> Any ideas please?
>>
>> Thanks!
>>
>> On Tue, May 13, 2014 at 6:53 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx>
>> wrote:
>>> On 14/05/2014 4:34 a.m., Nico Snyman wrote:
>>>> Hi guys,
>>>>
>>>> I am trying to set up an https reverse proxy to cache and proxy a data
>>>> feed from a 3rd party.
>>>>
>>>> At the moment, as a POC inside a VirtualBox VM, I am simply trying to
>>>> reverse proxy https://localhost to fetch https://www.google.com (or
>>>> any other https site).
>>>>
>>>
>>> The Right Way(tm) to test is with hosts file entry standing in for
>>> public DNS.
>>>
>>> /etc/hosts:
>>>  127.0.0.1  google.com
>>>
>>>  ... and making sure the proxy configuration is correct ...
>>>
>>> /etc/squid/squid.conf:
>>>  ...
>>>  https_port 443 accel defaultsite=google.com cert=...
>>>  http_port 80 accel defaultsite=google.com
>>>  ...
>>>  cache_peer google.com parent 443 0 originserver ssl ...
>>>  ...
>>>  acl our_sites dstdomain google.com
>>>  acl port443 myportname 443
>>>  acl port80 myportname 80
>>>  cache_peer_access myAccel allow  port443 our_sites
>>>  cache_peer_access myAccel1 allow port80 our_sites
>>>  http_access allow our_sites
>>>  http_access deny all
>>>  ...
>>>
>>>
>>>
>>>> Unfortunately, I consistently get the following:
>>>>
>>>> kid1| TCP connection to www.google.com/443 failed
>>>> kid1| WARNING: HTTP: Invalid response: No object data received for
>>>> https://localhost/ AKA localhost/
>>>>
>>>> In a browser this is a "Zero Sized Reply" message.
>>>>
>>>> My squid.conf as follows:
>>>>
>>>> acl SSL_ports port 443
>>>> acl Safe_ports port 80          # http
>>>> acl Safe_ports port 21          # ftp
>>>> acl Safe_ports port 443         # https
>>>> acl Safe_ports port 70          # gopher
>>>> acl Safe_ports port 210         # wais
>>>> acl Safe_ports port 1025-65535  # unregistered ports
>>>> acl Safe_ports port 280         # http-mgmt
>>>> acl Safe_ports port 488         # gss-http
>>>> acl Safe_ports port 591         # filemaker
>>>> acl Safe_ports port 777         # multiling http
>>>> acl CONNECT method CONNECT
>>>> https_port 443 accel cert=/etc/squid3/squid.crt
>>>> key=/etc/squid3/squid.key defaultsite=localhost
>>>> http_port 80 accel defaultsite=localhost
>>>> cache_peer www.google.com parent 443 0 no-query no-digest originserver
>>>> name=myAccel
>>>> cache_peer www.google.com parent 80 0 no-query no-digest originserver
>>>> name=myAccel1
>>>> acl our_sites dstdomain localhost
>>>> http_access allow our_sites
>>>> cache_peer_access myAccel allow our_sites
>>>> cache_peer_access myAccel1 allow our_sites
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow localhost manager
>>>> http_access deny manager
>>>> http_access allow localhost
>>>> http_access deny all
>>>> access_log daemon:/squid3_logs/access.log squid
>>>> cache_store_log daemon:/squid3_logs/store.log
>>>> cache_log /squid3_logs/cache.log
>>>> coredump_dir /var/spool/squid3
>>>> refresh_pattern ^ftp:           1440    20%     10080
>>>> refresh_pattern ^gopher:        1440    0%      1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>>>> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
>>>> refresh_pattern .               0       20%     4320
>>>>
>>>> Anybody have any ideas? I for the life of me cannot figure it out, and
>>>> haven't been able to find relevant help in the archives.
>>>>
>>>> Squid version: squid3-3.3.8
>>>> Ubuntu 13.10 inside Virtualbox 4.3.6
>>>>
>>>>
>>>>
>>>> Thank you!
>>>>
>>>
>




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux