On 8/12/22 00:28, Joel Howard wrote:
Thanks for the quick and detailed response! I inherited this service
recently - would you recommend upgrading to 5? My configs are fairly
simple, so upgrade should be easy.
I recommend not using v3. I do not have enough information about your
environment to _recommend_ a specific version to upgrade to. By default,
you should be upgrading to v5.
Here's my desired flow - let "reverse" and "parent" represent the IPs of
those proxies, and "target" represent the target API hostname.
Application sends GET (POST, PUT, etc) http://reverse/some/path
Nitpick: That is not exactly what the application sends if reverse is a
reverse proxy. The application will send "GET /some/path" (with
"reverse" in the Host header).
Reverse adds headers to the request
Reverse sends the request to https://target/some/path
using parent as a forward proxy.
I am not sure, but I suspect you will need a URL rewriter to change the
URL scheme from "http" to "https".
I set this up outside of a docker and without trying to force ssl. The
config below was my first attempt
Why are there suddenly two cache_peers in your configuration? Can you
simplify, at least for now, and have just one?
And why are there no [parent] proxies in your configuration? If you want
Squid to use a parent proxy, then you need a cache_peer option _without_
the originserver flag. That flag coverts Squid treatment of an HTTP
agent at the specified cache_peer address from a [forward] proxy [that
you want] to an origin server.
I would start with the following sketch:
http_port 80 accel
cache_peer 10.60.4.178 parent 3128 0 no-query no-digest
http_access ...
And then, after the above is adjusted and working as expected, add
request URL rewriting to try to change the URL scheme to https.
HTH,
Alex.
# Reverse proxy to google.com <http://google.com>
http_port 80 accel vhost defaultsite=www.google.com <http://www.google.com>
cache_peer google.com <http://google.com> parent 80 0 no-query
originserver forceddomain=www.google.com <http://www.google.com> name=target
request_header_add Joel Joel
# Simplified acl
http_access allow all
cache_peer_access target allow all
# Parent proxy
cache_peer 10.60.4.178 parent 3128 0 no-query default
acl all src 0.0.0.0/0.0.0.0 <http://0.0.0.0/0.0.0.0>
never_direct allow all
This was my second attempt, using forceddomain to replace the host
header but sending the request directly to the parent proxy. This
results in the parent receiving GET /, which it does not understand (it
expects GET target/somepath).
# Reverse proxy directly to forward proxy google.com <http://google.com>
http_port 80 accel vhost defaultsite=www.google.com <http://www.google.com>
cache_peer 10.60.4.178 parent 3128 0 no-query originserver
forceddomain=www.google.com <http://www.google.com> name=parent
request_header_add Joel Joel
# Misc
cache deny all
shutdown_lifetime 1 seconds
I suspect this would need a url rewriter to force the url to target -
I'm failing to get any of the example rewriters working (maybe due to
the old squid version?) so I haven't been able to test that yet. But I
suspect it will fail for HTTPS, because the rewritten URL will be sent
as GET target/something to the parent proxy, instead of CONNECT
target/something - I still think I'm missing something to get my squid
to use the forward /as a proxy/ while itself functioning in reverse.
I'll rewrite these for squid 5 and try to get URL rewriting working. In
the meantime, could you let me know if either of these two general
approaches is remotely correct and if so, what I can do to get further
with them?
Thanks so much! If you happen to be on StackOverflow, I've asked the
question with a bounty there
<https://stackoverflow.com/questions/73286678/reverse-proxy-with-http-inbound-https-outbound-and-parent-proxy/73293978?noredirect=1#comment129465312_73293978>
as well (although less squid-specific).
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
