HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   Squid Reverse Proxy (http://www.howtoforge.com/forums/showthread.php?t=37788)

EricTRA 28th July 2009 09:20

Squid Reverse Proxy
 
Hello,

I've setup successfully a Squid Reverse Proxy using the How To Set Up A Caching Reverse Proxy With Squid 2.6 although with some differences. I installed Squid 3 stable 16 on a Debian 5.0 Lenny server. I also installed it with SSL support, created my own self-signed wildcard certificate, LDAP authentication against our domain and everything.

Everything is working fine, http, https, the certificate, ... but...

I have like 6 http intranet sites and 1 https intranet site. I can successfully connect to the http sites using http://site1.domain.com but it also accepts https://site1.domain.com. The same, reverse, is true for the https site. I connect to https://sslsite.domain.com accept the exception for the certificate and get connected. But also using http://sslsite.domain.com I get connected to that site.

1. How do I have to change my configuration so that the https site is only accessible using https connection, dropping all that try to connect to that site using http?
2. When I use https://site1.domain.com to connect to a http site, after authentication it changes the url to http://site1.domain.com. Does this mean that Squid detects that the destination site is a http site and changes the URL accordingly? If this is true would my problem be solved by only accepting https connections?

Here's my squid config. I really hope someone can help me out.
Code:

cache_mgr root
# Basic parameters
visible_hostname www.domain.com
auth_param basic realm Domain Security Portal

# This line indicates the server we will be proxying for
http_port 80 defaultsite=www.domain.com vhost

# And the IP Address for it - adjust the IP and port if necessary
cache_peer XXX.XXX.XXX.73 parent 80 0 no-query originserver name=site1
acl site_site1 dstdomain site1.domain.com
cache_peer_access site1 allow site_site1

cache_peer XXX.XXX.XXX.27 parent 80 0 no-query originserver name=site2
acl site_site2 dstdomain site2.domain.com
cache_peer_access site allow site_site2

cache_peer XXX.XXX.XXX.21 parent 80 0 no-query originserver name=site3
acl site_site3 dstdomain site3.domain.com
cache_peer_access site3 allow site_site3

cache_peer localhost parent 8080 0 no-query originserver name=acidbase
acl site_acidbase dstdomain acidbase.domain.com
cache_peer_access acidbase allow site_acidbase

https_port XXX.XXX.XXX.78:443 accel cert=/etc/ssl/domaincert.pem key=/etc/ssl/domainkey.pem cafile=/etc/ssl/CA/cacert.pem defaultsite=sslsite.domain.com vhost protocol=https
forwarded_for on

cache_peer XXX.XXX.XXX.84 parent 19080 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=sslsite
acl site_sslsite dstdomain sslsite.domain.com
cache_peer_access sslsite allow site_sslsite
acl https proto https

acl apache rep_header Server ^Apache

# Where the cache files will be, memory and such
cache_dir ufs /var/spool/squid3 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 128 KB

# Log locations and format
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

access_log /var/log/squid3/access.log combined

cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
logfile_rotate 10

hosts_file /etc/hosts

# Basic ACLs
# acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443          # https
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT

auth_param basic program /lib/squid3/squid_ldap_auth -R -b "dc=domain,dc=com" -D "cn=ldapuser,cn=Users,dc=domain,dc=com" -w "password" -f sAMAccountName=%s -h ldapserver
auth_param basic children 5
acl ldap_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ldap_users
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow localhost
http_access allow all
http_access allow all
http_reply_access allow all

icp_access allow all

cache_effective_group proxy

coredump_dir /var/spool/squid3

emulate_httpd_log on

redirect_rewrites_host_header off

buffered_logs on

# Do not cache cgi-bin, ? urls, posts, etc.
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl POST method POST
no_cache deny QUERY
no_cache deny POST

Kind regards,

Eric


All times are GMT +2. The time now is 23:53.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.