Thank you both, Matus and Alex! Changing the name got my HTTP access working perfectly. I was stuck on HTTPS soon after, but as soon as I removed "intercept" from the Squid Parent proxy "http_port" line, I got that working.
You guys rock. Thanks again for that little nudge I needed to figure this out.
-Phillip
Message: 2
Date: Tue, 27 Nov 2018 17:44:54 +0100
From: Matus UHLAR - fantomas <uhlar@xxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Parent proxy chaining
Message-ID: <20181127164454.GA20312@xxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii; format=flowed
On 27.11.18 08:33, Phillip McCollum wrote:
>I have a deployment in AWS in where a VPC has a transparent proxy deployed,
>which forwards 80/443 requests to a parent proxy in another VPC, which I
>then need to forward to another parent proxy (SaaS provider).
>
>Essentially:
>[[Client PC]] --> [[Squid Proxy (10.52.0.20)]] --> [[Parent Squid Proxy
>(10.52.0.168)]] --> [[Parent SaaS Proxy]]
>
>This is being done to centralize proxy functions and limit the number of
>public IPs that the parent SaaS needs to whitelist.
>
>I'm getting "Access Denied" messages and a review of Squid Parent proxy
>access.log shows the following common errors:
>
>HTTP:
>2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for:
>GET / HTTP/1.1
>Accept: text/html, application/xhtml+xml, image/jxr, */*
>Accept-Language: en-US
>User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
>Gecko
>Accept-Encoding: gzip, deflate
>Cookie: B=8nra62ldvb83a&b=3&s=ik
>Via: 1.1 squid (squid/3.5.27)
what are names of your proxies?
you must set different visible_name or at least unique_name so proxy knows
it's not contacting itself.
>Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 REDIRECT tcp -- * * 0.0.0.0/0
>0.0.0.0/0 tcp dpt:80 redir ports 3129
> 0 0 REDIRECT tcp -- * * 0.0.0.0/0
>0.0.0.0/0 tcp dpt:443 redir ports 3130
> 35 2100 REDIRECT tcp -- * * 0.0.0.0/0
>0.0.0.0/0 tcp dpt:8443 redir ports 3031
the intercepting (often called transparent) proxy must have direct access to
world or parent proxy. Redirecting it back will create a loop.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users