RE: [squid-users] SSL and Reverse Proxy

From: Brad Taylor <btaylor@dont-contact.us>
Date: Wed, 25 Aug 2004 16:31:48 -0400

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Wednesday, August 25, 2004 6:30 AM
To: Brad Taylor
Cc: Henrik Nordstrom; Chris Perreault; squid-users@squid-cache.org
Subject: RE: [squid-users] SSL and Reverse Proxy

On Tue, 24 Aug 2004, Brad Taylor wrote:

> This should be the public domain name.
>
> -- I'm using it for testing. Will it work OK for testing?

Depends on your web server.

This has effect on what the Host header will be when the request is
forwarded to your web server.

> will "httpd_accel_with_proxy off" still use reverse cache? I only
> want squid to cache the accelerated web site.

Yes.

> why this? Does your web server require a the use of a client
certificate
> to access the server?
>
> -- Yes, client has to use https.

Yes, but does clients accessing your https:// backend web server
directly
have to present a presonal SSL certificate for authentication purposes
to
your web server?

--- No, the client doesn't need anything other then to use https.

> Most likely you web server redirects the user back to 192.168.60.100.
>
> -- Why? Everything looks to be setup correctly, right? I've seen
> cach_peer talked about with SSL. Is that only for multiple Squid
boxes?

Web servers very often sends redirects. When they do these redirects
contain the exact full URL the web server thinks it is it's public name
and how it is supposed to be accessed.

When there is a mismatch between how the web server thinks it is
supposed
to be accessed and real life (i.e. due to a reverse proxy infront)
extreme
care needs to be taken to make sure the web servers idea of how it is
supposed to be addressed does not leak out to the user.

A trivial example is when you request a directory, but do not include
the
trailing slash.

I.e. if index.html is the default index page configured on your server
and
the server has the page http://example.com/marketing/index.html if the
user then request http://example.com/marketing (not
http://example.com/marketing/) the web server will send a redirect
telling
the browser "to get the page you have requested you must go to
http://example.com/marketing/"

If you then have a reverse proxy infront of this listening on another
server name such as http://www.exampel.org/ then this redirect will move

the user off from the reverse proxy to trying to access
http://example.com/marketing/ directly.

To make things worse many dynamic applications (CGI, ASP or whatever
dynamic technology) quite often renders absolute URLs into the returned
HTML code with what the application thinks is the public URL in how the
application is supposed to be addressed. This means that even if the
user
accessed http://www.example.org/economy_db/ it may be the case that the
HTML content returned by the application running there will contain
absolute links to http://example.com/economy_db/

--- I think this could be the problem. I got the SSL working on a non
asp site and it worked. So I know it is now the site but don't know how
I would fix this.

>> "log_mime_hdrs on", and study access logs of both Squid and you web
>> servers.
>
> 1093381355.430 21 192.168.60.154 TCP_MISS/302 492 GET
> http://192.168.60.100/ - DIRECT/192.168.60.100 text/html

This is not with "log_mime_hdrs on".

--- Here is log_mime_hdrs on, but not sure what it is telling me.

1093457746.469 27 192.168.60.154 TCP_MISS/302 495 GET
http://dev2.autotask.com/ - DIRECT/192.168.60.100 text/html [Accept:
image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword,
*/*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip,
deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; .NET CLR 1.1.4322)\r\nHost: 192.168.60.129\r\nConnection:
Keep-Alive\r\nCookie: CI=5\r\n] [HTTP/1.1 302 Object moved\r\nServer:
Microsoft-IIS/5.0\r\nDate: Wed, 25 Aug 2004 18:15:50
GMT\r\nX-Powered-By: ASP.NET\r\nConnection: keep-alive\r\nLocation:
https://dev2.autotask.com/Default.asp?\r\nConnection:
Keep-Alive\r\nContent-Length: 121\r\nContent-Type:
text/html\r\nSet-Cookie:
ASPSESSIONIDQCDCCCSA=BABPPHACPKANJHCBGINIBKLO;
path=/\r\nCache-control: private\r\n\r]
Received on Wed Aug 25 2004 - 14:31:50 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT