On 25/09/2015 9:27 p.m., Lucas van Braam van Vloten wrote: > Hello, > > I would like to use Squid to forward requests to webservices. > I would like to accomplish the following: > > Traffic is initially directed directly to the Squid server at its > internal address, for example: > http://squid.server.local/first/webservice/ > > The request to the actual webservice is originated from the Squid > server, for example: > https://internet-webservice.example.com/soap/in/ > This is a very bad design. It leads to all sorts of problems with internal URL leaking out to external clients, context and security scoping problems, and all the secondary side effects from those. Proxies like Squid are designed to gateway the full URL between client and server/service. > I can configure Squid so that internal requests are connected to the > external webservice. Client certificate authentication is handled by > Squid. However this is based on the FQDN only, everything that comes > after the FQDN (the second part of the URL) is passed through to the > external service. This is one of the security side-effect problems. There is no solution except to do HTTP properly. > > I would like to modify the second part of the URL, so that an internal > connection to ".../first/webservice/", is externally connected to > ".../soap/in/" > Everything that comes after the second part of the URL should be passed > through as usual. > > My question is: Can it be done? Yes if you are willing to cope with all the brokenness that results. It is called URL rewriting and is done by a helper and the url_rewrite_program directive. But it is far easier to do HTTP properly: * make the public and private paths identical. * add a cache_peer with port 443 and SSL options, and the forcedomain=internet-webservice.example.com option to change the domain sent. * ensure the web service only ever uses relative URLs. It must not use the https:// or FQDN in any of its outputs. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
