#1  
Old 28th July 2009, 08:20
EricTRA EricTRA is offline
Junior Member
 
Join Date: Feb 2009
Location: Terrassa, Barcelona, Spain
Posts: 6
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via MSN to EricTRA
 
Default Squid Reverse Proxy

Hello,

I've setup successfully a Squid Reverse Proxy using the How To Set Up A Caching Reverse Proxy With Squid 2.6 although with some differences. I installed Squid 3 stable 16 on a Debian 5.0 Lenny server. I also installed it with SSL support, created my own self-signed wildcard certificate, LDAP authentication against our domain and everything.

Everything is working fine, http, https, the certificate, ... but...

I have like 6 http intranet sites and 1 https intranet site. I can successfully connect to the http sites using http://site1.domain.com but it also accepts https://site1.domain.com. The same, reverse, is true for the https site. I connect to https://sslsite.domain.com accept the exception for the certificate and get connected. But also using http://sslsite.domain.com I get connected to that site.

1. How do I have to change my configuration so that the https site is only accessible using https connection, dropping all that try to connect to that site using http?
2. When I use https://site1.domain.com to connect to a http site, after authentication it changes the url to http://site1.domain.com. Does this mean that Squid detects that the destination site is a http site and changes the URL accordingly? If this is true would my problem be solved by only accepting https connections?

Here's my squid config. I really hope someone can help me out.
Code:
cache_mgr root
# Basic parameters
visible_hostname www.domain.com
auth_param basic realm Domain Security Portal

# This line indicates the server we will be proxying for
http_port 80 defaultsite=www.domain.com vhost

# And the IP Address for it - adjust the IP and port if necessary
cache_peer XXX.XXX.XXX.73 parent 80 0 no-query originserver name=site1
acl site_site1 dstdomain site1.domain.com
cache_peer_access site1 allow site_site1

cache_peer XXX.XXX.XXX.27 parent 80 0 no-query originserver name=site2
acl site_site2 dstdomain site2.domain.com
cache_peer_access site allow site_site2

cache_peer XXX.XXX.XXX.21 parent 80 0 no-query originserver name=site3
acl site_site3 dstdomain site3.domain.com
cache_peer_access site3 allow site_site3

cache_peer localhost parent 8080 0 no-query originserver name=acidbase
acl site_acidbase dstdomain acidbase.domain.com
cache_peer_access acidbase allow site_acidbase

https_port XXX.XXX.XXX.78:443 accel cert=/etc/ssl/domaincert.pem key=/etc/ssl/domainkey.pem cafile=/etc/ssl/CA/cacert.pem defaultsite=sslsite.domain.com vhost protocol=https
forwarded_for on

cache_peer XXX.XXX.XXX.84 parent 19080 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=sslsite
acl site_sslsite dstdomain sslsite.domain.com
cache_peer_access sslsite allow site_sslsite
acl https proto https

acl apache rep_header Server ^Apache

# Where the cache files will be, memory and such
cache_dir ufs /var/spool/squid3 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 128 KB

# Log locations and format
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

access_log /var/log/squid3/access.log combined

cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
logfile_rotate 10

hosts_file /etc/hosts

# Basic ACLs
# acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443          # https
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT

auth_param basic program /lib/squid3/squid_ldap_auth -R -b "dc=domain,dc=com" -D "cn=ldapuser,cn=Users,dc=domain,dc=com" -w "password" -f sAMAccountName=%s -h ldapserver
auth_param basic children 5
acl ldap_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ldap_users
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow localhost
http_access allow all
http_access allow all
http_reply_access allow all

icp_access allow all

cache_effective_group proxy

coredump_dir /var/spool/squid3

emulate_httpd_log on

redirect_rewrites_host_header off

buffered_logs on

# Do not cache cgi-bin, ? urls, posts, etc.
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl POST method POST
no_cache deny QUERY
no_cache deny POST
Kind regards,

Eric
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Transparent reverse squid proxy d31373 Installation/Configuration 5 22nd November 2009 20:44
Configure Squid reverse proxy for apache staticanime Installation/Configuration 2 11th May 2009 14:03
Question on: How To Set Up A Caching Reverse Proxy With Squid 2.6 On Debian Etch tomdkat HOWTO-Related Questions 2 25th January 2009 00:56
Mod_Perl Configuration Issue szise Installation/Configuration 4 28th November 2008 12:41
Squid as a Reverse Proxy for ISPconfig on the same machine RotHorseKid Installation/Configuration 15 7th December 2005 18:24


All times are GMT +2. The time now is 01:43.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.