[squid-users] Problem with Citrix and Squid 3 as Reverse Proxy

From: Kaddu, Patrick <KadduP@dont-contact.us>
Date: Tue, 26 Feb 2008 16:43:44 +0100

Hello everybody,
 
We try to replace the old NFUSE Reverse Proxy with Squid 3.0, the most
BackendServer work fine (OWA, IIS, Cognos), but only Citrix wont work.
We can reach the WI interface and the Applications are shown, but when
you try to start any application in WI, we get a timeout. This Messages
in my access.log show a Citrix Connection on squid:
 
access.log on Squid 3.0
 
1203953393.347 8 85.0.144.114 TCP_MISS/302 950 GET
http://wi1.bell.ch/Citrix/AccessPlatform/site/launcher.aspx? -
FIRST_UP_PARENT/30.209.130.25 text/html
1203953393.347 8 85.0.144.114 TCP_MISS/302 950 GET
http://wi1.bell.ch/Citrix/AccessPlatform/site/launcher.aspx? -
FIRST_UP_PARENT/30.209.130.25 text/html
1203953394.402 860 85.0.144.114 TCP_MISS/200 2767 GET
http://wi1.bell.ch/Citrix/AccessPlatform/site/launch.ica? -
FIRST_UP_PARENT/30.209.130.25 application/x-ica
1203953394.402 860 85.0.144.114 TCP_MISS/200 2767 GET
http://wi1.bell.ch/Citrix/AccessPlatform/site/launch.ica? -
FIRST_UP_PARENT/30.209.130.25 application/x-ica
1203953394.954 1 85.0.144.114 TCP_MISS/503 0 CONNECT
30.210.35.22:1494 - FIRST_UP_PARENT/30.210.35.22 -
1203953394.954 1 85.0.144.114 TCP_MISS/503 0 CONNECT
30.210.35.22:1494 - FIRST_UP_PARENT/30.210.35.22 -
 
 
I compiled Squid with SSL and disable-internal-dns
 
Squid3 conf
------------------------------------------------------------------------
-----
 
# SSL
 
https_port 443 cert=/etc/squid/certs/bell.ch-cert.pem
key=/etc/squid/certs/bell.ch-key.pem defaultsite=citrix1.bell.ch vhost
 
ssl_unclean_shutdown on
 
# Squid lauscht auf...
#http_port 80 accel defaultsite=vm-iis01 vhost
#
http_port 80 accel defaultsite=citrix1.bell.ch vhost
#http_port 1494 accel defaultsite=citrix1.bell.ch vhost
 
# Authentication
 
auth_param basic program /usr/local/libexec/squid_radius_auth -p 1645 -f
/etc/squid/squid_radius_auth.conf
auth_param basic children 5
auth_param basic realm Squid Reverse Proxy
auth_param basic credentialsttl 5 minute
auth_param basic casesensitive off

# Auth ACL
acl radius-auth proxy_auth REQUIRED
 
http_access allow radius-auth
#http_access allow all
 
# Citrix ACL
 
acl citrix_1494 port 1494
http_access allow citrix_1494
 
# interne BackendServer definieren
 
# cache_peer auf SSL

# Server 1 wi

cache_peer 30.209.130.25 parent 80 0 no-query originserver
front-end-https=on login=PASS name=vhost1
acl vhost1_domains dstdomain wi1.bell.ch wi1.bell-gruppe.ch
cache_peer_access vhost1 allow vhost1_domains
http_access allow vhost1_domains
 
# Server 2 mycognos

cache_peer 30.203.134.26 parent 80 0 no-query originserver login=PASS
name=vhost2
acl vhost2_domains dstdomain mycognos1.bell.ch
cache_peer_access vhost2 allow vhost2_domains
http_access allow vhost2_domains
 
# Server 3 myintranet

cache_peer 30.203.34.45 parent 80 0 no-query originserver login=PASS
name=vhost3
acl vhost3_domains dstdomain myintranet1.bell.ch
cache_peer_access vhost3 allow vhost3_domains
http_access allow vhost3_domains
 
# Server 4 mymail

cache_peer 30.210.33.64 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER front-end-https=on login=PASS name=vhost4
acl vhost4_domains dstdomain mymail1.bell.ch
cache_peer_access vhost4 allow vhost4_domains
http_access allow vhost4_domains
 
# Server 5 citrix

cache_peer 30.210.35.22 parent 443 0 no-query originserver login=PASS
name=vhost5
acl vhost5_domains dstdomain citrix1.bell.ch
cache_peer_access vhost5 allow vhost5_domains
http_access allow vhost5_domains
#http_access allow citrix_1494
 

#Access Control List
# Server ACL's
acl webserver dst 30.209.130.14 30.210.33.64 30.238.33.12 30.203.5.22
30.210.33.89 30.203.134.26 30.209.130.25 30.210.35.22
 
#Connection ACL

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl local src 30.0.0.0/255.0.0.0
acl to_localhost dst 127.0.0.0/8
 
# Port ACL

acl Safe_ports port 80 443 1494 2598 # http
acl SSL_ports port 443 1494 2598 # https
acl purge method PURGE
acl CONNECT method CONNECT
 
# ACL's fuer Zugriff von aussen
 
acl url_allow url_regex -i ^https://mymail1.bell.ch/exchange.*$
acl url_allow url_regex -i ^https://mymail1.bell.ch/rpc/rpcproxy.dll.*$
acl url_allow url_regex -i ^https://mymail1.bell.ch/exchweb.*$
acl url_allow url_regex -i ^https://mymail1.bell.ch/.*$ccess Control
List
 
# http access
 
http_access allow CONNECT SSL_ports
http_access allow CONNECT Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow manager localhost
http_access allow webserver
miss_access allow all
miss_access allow webserver
http_access allow url_allow
http_access allow SSL_ports
http_access deny !Safe_ports
http_access deny !SSL_ports
http_access deny all
miss_access deny all
http_access deny manager
never_direct allow all
 
#kein Cacheing
no_cache deny all
 
#header_access X-Cache deny all
#header_access X-Cache-Lookup deny all
#header_access X-Squid-Error deny all
#header_access Via deny all
#header_access Server deny all
visible_hostname remotelogin.bell-gruppe.ch
deny_info TCP_RESET all
 

# Tunning, Debug, Logs
 
debug_options ALL,1 33,2
 
cache_dir ufs /var/spool/squid 1800 256 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_effective_user proxy
cache_effective_group proxy
cache_mgr *
access_log /var/log/squid/access.log squid
 
pid_filename /var/run/squid.pid
 
#timeout und error handling
 
retry_on_error on
read_timeout 15 minutes
half_closed_clients off
memory_pools on
positive_dns_ttl 24 hours
negative_dns_ttl 30 seconds
request_timeout 60 seconds
connect_timeout 4 hours
pconn_timeout 4 hours
ie_refresh on
emulate_httpd_log off
log_ip_on_direct on
 
error_directory /etc/squid/errors/

------------------------------------------------------------------------
----------
 
Squid is complied with ssl enabled and disable-internal-dns
 
What do i wrong or miss? Can someone help ...
 
Thx.
 
best regards
 
Patrick
Received on Tue Feb 26 2008 - 08:43:55 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST