Re: [squid-users] Cookies and/or URLs becoming IP addresses when using proxy with SSL

From: <Francois.J.Perreault@dont-contact.us>
Date: Mon, 12 Aug 2002 11:14:10 -0400

We're all convinced the problem is on the application side.
However, the problem only appears when using a proxy.

Thanks for your reply.

--
2002-08-12 06:30 AM
Markus.Rietzler@rzf.fin-nrw.de wrote:
are you sure, that the server doesn't change the ip/domain while
doing some kind of redirect?`what does the access.log of squid (and
the server's one) tell you?
normally squid doesn't switch back to ip-adresses while retrieving
a website. it could be a redirect that the web-server performs, such like
        http://domain/foo        -> http://123.45.67.89/foo/
(watch the trailing slash)...
Markus Rietzler
* <rietzler=5Fsoftware/>
* RZF NRW
* Tel: 0211.4572-130
-----Urspr=FCngliche Nachricht-----
Von: Francois.J.Perreault@vmd.desjardins.com
[mailto:Francois.J.Perreault@vmd.desjardins.com]
Gesendet am: Samstag, 10. August 2002 00:15
An: squid-users@squid-cache.org
Betreff: [squid-users] Cookies and/or URLs becoming IP addresses when
using proxy with SSL
IE Browser (5 and 6) is set to use a proxy (Squid and Apache)
and accesses an SSL site in development.  Eventually (about
4 or 5 clicks), the site's main cookie which came from the site's
domain name, will now appear to come from an IP address, thus
not being the same cookie to the browser.  This brakes the SSL
session and everything is then requested using http (not https)
and most often by refering to the IP address and not the proper
domain name URL.  Needless to say the site stops working.
Removal of the proxy settings in the browser (assuming the
station is permitted through by the firewall) and the bug goes
away.  Considering how the proxy is merely tunneling the SSL
session, how can the cookie (or URL) get poisonned like that?
--
Squid Config:
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache=5Fobject
acl localhost src 127.0.0.1/255.255.255.255
acl SSL=5Fports port 443 563 8080 8000
acl Safe=5Fports port 80 21 443 563 70 210 1025-65535
acl Safe=5Fports port 280         # http-mgmt
acl Safe=5Fports port 488         # gss-http
acl Safe=5Fports port 591         # filemaker
acl Safe=5Fports port 777         # multiling http
acl CONNECT method CONNECT
acl badlangblock url=5Fregex -i "/etc/squid/badlang.block.txt"
acl badlangunblock url=5Fregex -i "/etc/squid/badlang.unblock.txt"
acl entertainblock url=5Fregex -i "/etc/squid/entertain.block.txt"
acl entertainunblock url=5Fregex -i "/etc/squid/entertain.unblock.txt"
acl gamesblock url=5Fregex -i "/etc/squid/games.block.txt"
acl gamesunblock url=5Fregex -i "/etc/squid/games.unblock.txt"
acl pirateblock url=5Fregex -i "/etc/squid/pirate.block.txt"
acl pornblock url=5Fregex -i "/etc/squid/porn.block.txt"
acl pornunblock url=5Fregex -i "/etc/squid/porn.unblock.txt"
acl limiteddeny url=5Fregex -i "/etc/squid/limited.deny.txt"
acl limitedallow url=5Fregex -i "/etc/squid/limited.allow.txt"
acl allowsimpleurl urlpath=5Fregex -i "/etc/squid/allow=5Fsimpleurl.txt"
http=5Faccess allow manager localhost
http=5Faccess deny manager
http=5Faccess deny !Safe=5Fports
http=5Faccess deny CONNECT !SSL=5Fports
http=5Faccess allow localhost
http=5Faccess deny badlangblock   !badlangunblock
http=5Faccess deny entertainblock !entertainunblock
http=5Faccess deny gamesblock     !gamesunblock
http=5Faccess deny pirateblock
http=5Faccess deny pornblock      !pornunblock
http=5Faccess deny limiteddeny
#http=5Faccess allow limitedallow
#http=5Faccess allow allowsimpleurl
#http=5Faccess allow CONNECT SSL=5Fports
#http=5Faccess deny all
http=5Faccess allow all
Received on Mon Aug 12 2002 - 09:14:32 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:36 MST