Hi, I try to configure squid for a very special usecase but can't get it to work. So, if you could give me some hints on how to do it right, that would be great Here's what I try to achieve: the browser has proxy:8080 configured as manual proxy from the browser I access some websites when the request is plain http then the reply must be a redirect to https when the request is https then the ssl connection must be termintaed on the proxy and the request must be forwarded as http to the application server I know, I could just forget about ssl an go directly the app server with http bt the customer insists on that particular setup we use several domains like app1.doma.com, app2.domb.biz, app3.domc.org in order to return the correct certificate for each request, I need a dedicated ip:port combination for each certificate I came up with the following setup browser -> proxy:8080 -> squid for http://app1.doma.com -> 127.0.0.1:10081 -> haproxy -> redirect for https://app1.doma.com -> 127.0.0.1:10401 -> haproxy -> terminate ssl -> app1.local.net:8123 for http://app2.doma.com -> 127.0.0.1:10082 -> haproxy -> redirect for https://app2.doma.com -> 127.0.0.1:10402 -> haproxy -> terminate ssl -> app2.local.net:8765 for http://app3.doma.com -> 127.0.0.1:10083 -> haproxy -> redirect for https://app3.doma.com -> 127.0.0.1:10403 -> haproxy -> terminate ssl -> app3.local.net:8888 here's the configuration I created so far http_port 8080 # User networks acl Users src 10.11.12.0/22 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access allow Users http_access deny all coredump_dir /var/spool/squid cache deny all never_direct allow all acl to_domA dstdomain .doma.com acl to_domB dstdomain .domb.biz acl to_domC dstdomain .domc.org cache_peer 127.0.0.1 parent 10081 0 name=domA_redirect no-query originserver cache_peer_access domA_redirect allow !CONNECT to_domA cache_peer 127.0.0.1 parent 10401 0 name=domA_ssl no-query originserver cache_peer_access domA_ssl allow CONNECT to_domA cache_peer 127.0.0.1 parent 10082 0 name=domB_redirect no-query originserver cache_peer_access domB_redirect allow !CONNECT to_domB cache_peer 127.0.0.1 parent 10402 0 name=domB_ssl no-query originserver cache_peer_access domB_ssl allow CONNECT to_domB cache_peer 127.0.0.1 parent 10083 0 name=domC_redirect no-query originserver cache_peer_access domC_redirect allow !CONNECT to_domC cache_peer 127.0.0.1 parent 10403 0 name=domC_ssl no-query originserver cache_peer_access domC_ssl allow CONNECT to_domC the plain http part works, squid selects the correct peer and haproxy reponds with the redirect ssl respectifely the CONNECT call is the problem 2017/11/17 07:56:21.429 kid1| 28,3| Checklist.cc(63) markFinished: 0x55d69a951b68 answer ALLOWED for match 2017/11/17 07:56:21.429 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x55d69a951b68 answer=ALLOWED 2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(171) peerCheckNeverDirectDone: peerCheckNeverDirectDone: ALLOWED 2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(177) peerCheckNeverDirectDone: direct = DIRECT_NO (never_direct allow) 2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(441) peerSelectFoo: CONNECT app1.doma.com 2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(685) peerGetSomeParent: CONNECT app1.doma.com 2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(280) peerSelectDnsPaths: Failed to select source for 'app1.doma.com:443' 2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(281) peerSelectDnsPaths: always_direct = DENIED 2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(282) peerSelectDnsPaths: never_direct = ALLOWED 2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(295) peerSelectDnsPaths: timedout = 0 2017/11/17 07:56:21.429 kid1| 26,3| tunnel.cc(1156) tunnelPeerSelectComplete: No paths found. Aborting CONNECT 2017/11/17 07:56:21.429 kid1| 4,3| errorpage.cc(633) errorSend: local=10.1.2.3:8080 remote=10.11.12.13:61110 FD 12 flags=1, err=0x55d69a511528 2017/11/17 07:56:21.429 kid1| 4,2| errorpage.cc(1262) BuildContent: No existing error page language negotiated for ERR_CANNOT_FORWARD. Using default error file. if it makes any difference here some details about os and squid: root@proj-proxy:~# dpkg -l | grep squid ii squid 3.5.12-1ubuntu7.4 amd64 Full featured Web Proxy cache (HTTP proxy) ii squid-common 3.5.12-1ubuntu7.4 all Full featured Web Proxy cache (HTTP proxy) - common files ii squid-langpack 20150704-1 all Localized error pages for Squid root@proj-proxy:~# uname -a Linux proj-proxy 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux root@proj-proxy:~# cat /etc/os-release NAME="Ubuntu" VERSION="16.04.3 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.3 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/"; SUPPORT_URL="http://help.ubuntu.com/"; BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"; VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial Many thanks for your help Bernhard _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
