On 04/03/2016 08:06 PM, Amos Jeffries wrote:
On 4/04/2016 4:22 a.m., Brendan Kearney wrote:
with fedora 24 being released in a couple months, haproxy v1.6.x will be
available, and the ability to easily intercept HTTP traffic will be in
the version (see the set-uri directive). with v1.6 i will be able to
rewrite the URL, so that squid can process the request properly.
That does not make sense. Intercepting and URL-rewriting are completely
different actions.
The Squid-3.5 and later versions are able to receive PROXY protocol
headers from HAProxy. You may find that much better than fiddling around
with URLs and available in your current HAProxy.
i use iptables to intercept the request, and need the set-uri option in
haproxy 1.6.x to concatenate the Host header with the GET, in order to
have the request in the form that squid expects the request. yes, they
are separate actions and i should have been clearer.
i will look into the PROXY protocol additions, but that may not be an
option until i can get all my boxes upgraded.
my
problem is that i run authenticated access on the proxy, and will need
to exempt the traffic from that restriction.
What restriction?
the authenticated access restriction. not much of my policy allows for
unauthenticated access.
what mechanisms can i use to identify the fact that the client traffic
has been intercepted, so that i can create ACLs to match the traffic? i
don't want to use things like IPs or User-Agent strings, as they may
change or be unknown.
Only the interceptor can do that traffic distinction. Once traffic gets
multiplexed the information is lost.
i tried to create / insert a header at the router/firewall/load
balancer, and test for the existence of the header in squid, but that
did not seem to go as well as i thought it might.
i was thinking about sending the intercepted traffic to a different
port, say 3129, and then using localport to identify the traffic. with
an ACL, i would exempt the traffic from auth, etc. are there better
options? how are other folks dealing with intercepted and explicit
traffic on the same box?
That would be one fairly good way to distinguish the traffic types. So
why is the URL fiddling happening?
because i need to concatenate the Host header with the GET line (URI),
in order for squid to be able to process the request. i dont have squid
3.5 yet, nor do i have haproxy 1.6 yet, so i have to use the old
interception methods to accomplish this, at this point.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
thanks for the feedback. seems i might be able to do things, just have
to find my way through until newer versions give me better means of
doing it.
thanks,
brendan
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users