Squid Reverse Proxy

Discussion in 'HOWTO-Related Questions' started by EricTRA, Jul 28, 2009.

  1. EricTRA

    EricTRA New Member


    I've setup successfully a Squid Reverse Proxy using the How To Set Up A Caching Reverse Proxy With Squid 2.6 although with some differences. I installed Squid 3 stable 16 on a Debian 5.0 Lenny server. I also installed it with SSL support, created my own self-signed wildcard certificate, LDAP authentication against our domain and everything.

    Everything is working fine, http, https, the certificate, ... but...

    I have like 6 http intranet sites and 1 https intranet site. I can successfully connect to the http sites using http://site1.domain.com but it also accepts https://site1.domain.com. The same, reverse, is true for the https site. I connect to https://sslsite.domain.com accept the exception for the certificate and get connected. But also using http://sslsite.domain.com I get connected to that site.

    1. How do I have to change my configuration so that the https site is only accessible using https connection, dropping all that try to connect to that site using http?
    2. When I use https://site1.domain.com to connect to a http site, after authentication it changes the url to http://site1.domain.com. Does this mean that Squid detects that the destination site is a http site and changes the URL accordingly? If this is true would my problem be solved by only accepting https connections?

    Here's my squid config. I really hope someone can help me out.
    cache_mgr root
    # Basic parameters
    visible_hostname www.domain.com
    auth_param basic realm Domain Security Portal
    # This line indicates the server we will be proxying for
    http_port 80 defaultsite=www.domain.com vhost
    # And the IP Address for it - adjust the IP and port if necessary
    cache_peer XXX.XXX.XXX.73 parent 80 0 no-query originserver name=site1
    acl site_site1 dstdomain site1.domain.com
    cache_peer_access site1 allow site_site1
    cache_peer XXX.XXX.XXX.27 parent 80 0 no-query originserver name=site2
    acl site_site2 dstdomain site2.domain.com
    cache_peer_access site allow site_site2
    cache_peer XXX.XXX.XXX.21 parent 80 0 no-query originserver name=site3
    acl site_site3 dstdomain site3.domain.com
    cache_peer_access site3 allow site_site3
    cache_peer localhost parent 8080 0 no-query originserver name=acidbase
    acl site_acidbase dstdomain acidbase.domain.com
    cache_peer_access acidbase allow site_acidbase
    https_port XXX.XXX.XXX.78:443 accel cert=/etc/ssl/domaincert.pem key=/etc/ssl/domainkey.pem cafile=/etc/ssl/CA/cacert.pem defaultsite=sslsite.domain.com vhost protocol=https
    forwarded_for on
    cache_peer XXX.XXX.XXX.84 parent 19080 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=sslsite
    acl site_sslsite dstdomain sslsite.domain.com
    cache_peer_access sslsite allow site_sslsite
    acl https proto https
    acl apache rep_header Server ^Apache
    # Where the cache files will be, memory and such
    cache_dir ufs /var/spool/squid3 10000 16 256
    cache_mem 256 MB
    maximum_object_size_in_memory 128 KB
    # Log locations and format
    #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
    logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
    access_log /var/log/squid3/access.log combined
    cache_log /var/log/squid3/cache.log
    cache_store_log /var/log/squid3/store.log
    logfile_rotate 10
    hosts_file /etc/hosts
    # Basic ACLs
    # acl all src
    acl manager proto cache_object
    acl localhost src
    acl to_localhost dst
    acl SSL_ports port 443          # https
    acl Safe_ports port 80
    acl Safe_ports port 443
    acl purge method PURGE
    acl CONNECT method CONNECT
    auth_param basic program /lib/squid3/squid_ldap_auth -R -b "dc=domain,dc=com" -D "cn=ldapuser,cn=Users,dc=domain,dc=com" -w "password" -f sAMAccountName=%s -h ldapserver
    auth_param basic children 5
    acl ldap_users proxy_auth REQUIRED
    # Add this at the top of the http_access section of squid.conf
    http_access allow ldap_users
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access allow localhost
    http_access allow all
    http_access allow all
    http_reply_access allow all
    icp_access allow all
    cache_effective_group proxy
    coredump_dir /var/spool/squid3
    emulate_httpd_log on
    redirect_rewrites_host_header off
    buffered_logs on
    # Do not cache cgi-bin, ? urls, posts, etc.
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    acl POST method POST
    no_cache deny QUERY
    no_cache deny POST
    Kind regards,


Share This Page