Search squid archive

Re: Squid as Reverse Proxy with Parent Proxy, http inbound and https outbound

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/12/22 00:28, Joel Howard wrote:

Thanks for the quick and detailed response! I inherited this service recently - would you recommend upgrading to 5? My configs are fairly simple, so upgrade should be easy.

I recommend not using v3. I do not have enough information about your environment to _recommend_ a specific version to upgrade to. By default, you should be upgrading to v5.


Here's my desired flow - let "reverse" and "parent" represent the IPs of those proxies, and "target" represent the target API hostname.

Application sends GET (POST, PUT, etc) http://reverse/some/path

Nitpick: That is not exactly what the application sends if reverse is a reverse proxy. The application will send "GET /some/path" (with "reverse" in the Host header).


Reverse adds headers to the request
Reverse sends the request to https://target/some/path using parent as a forward proxy.

I am not sure, but I suspect you will need a URL rewriter to change the URL scheme from "http" to "https".

I set this up outside of a docker and without trying to force ssl. The config below was my first attempt

Why are there suddenly two cache_peers in your configuration? Can you simplify, at least for now, and have just one?

And why are there no [parent] proxies in your configuration? If you want Squid to use a parent proxy, then you need a cache_peer option _without_ the originserver flag. That flag coverts Squid treatment of an HTTP agent at the specified cache_peer address from a [forward] proxy [that you want] to an origin server.

I would start with the following sketch:

    http_port 80 accel
    cache_peer 10.60.4.178 parent 3128 0 no-query no-digest
    http_access ...

And then, after the above is adjusted and working as expected, add request URL rewriting to try to change the URL scheme to https.

HTH,

Alex.


# Reverse proxy to google.com <http://google.com>
http_port 80 accel vhost defaultsite=www.google.com <http://www.google.com>
cache_peer google.com <http://google.com> parent 80 0 no-query originserver forceddomain=www.google.com <http://www.google.com> name=target
request_header_add Joel Joel

# Simplified acl
http_access allow all
cache_peer_access target allow all

# Parent proxy
cache_peer 10.60.4.178 parent 3128 0 no-query default
acl all src 0.0.0.0/0.0.0.0 <http://0.0.0.0/0.0.0.0>
never_direct allow all

This was my second attempt, using forceddomain to replace the host header but sending the request directly to the parent proxy. This results in the parent receiving GET /, which it does not understand (it expects GET target/somepath).

# Reverse proxy directly to forward proxy google.com <http://google.com>
http_port 80 accel vhost defaultsite=www.google.com <http://www.google.com>
cache_peer 10.60.4.178 parent 3128 0 no-query originserver forceddomain=www.google.com <http://www.google.com> name=parent
request_header_add Joel Joel

# Misc
cache deny all
shutdown_lifetime 1 seconds

I suspect this would need a url rewriter to force the url to target - I'm failing to get any of the example rewriters working (maybe due to the old squid version?) so I haven't been able to test that yet. But I suspect it will fail for HTTPS, because the rewritten URL will be sent as GET target/something to the parent proxy, instead of CONNECT target/something - I still think I'm missing something to get my squid to use the forward /as a proxy/ while itself functioning in reverse.

I'll rewrite these for squid 5 and try to get URL rewriting working. In the meantime, could you let me know if either of these two general approaches is remotely correct and if so, what I can do to get further with them?

Thanks so much! If you happen to be on StackOverflow, I've asked the question with a bounty there <https://stackoverflow.com/questions/73286678/reverse-proxy-with-http-inbound-https-outbound-and-parent-proxy/73293978?noredirect=1#comment129465312_73293978> as well (although less squid-specific).

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux