[squid-users] Auth through HTTPS reverse proxy from Ben Hollingsworth on 2008-03-04 (squid-users)

From: Ben Hollingsworth <ben.hollingsworth@dont-contact.us>
Date: Tue, 04 Mar 2008 10:19:53 -0600

I've setup Squid 2.6.STABLE6 as a reverse proxy. It terminates SSL
connections using a wildcard cert and then passes the connections to
back-end servers using either HTTP or HTTPS. All works well for servers
that don't require any authentication (or which let the web application
handle its own authentication). However, when I try to use Apache's
native authentication to restrict directory access, any access through
the proxy always fails authentication. Access directly to the server
(bypassing the proxy) authenticates just fine, so it appears that
something about my Squid setup is causing authentication to break. This
happens regardless of whether the back-end is running HTTP or HTTPS.
The squid & apache logs don't tell me anything. I've looked over packet
dumps (on the HTTP side, of course), but I don't see the user/pwd
anywhere. Any ideas what I'm doing wrong?

Squid.conf: ("docs" is the server in question)

http_port 80 vhost
https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.pem vhost
icp_port 0
cache_peer 172.26.6.159 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER name=cmaxx-app-peer
cache_peer 172.22.65.2 parent 80 0 no-query originserver name=docs-peer
cache_peer 172.22.66.208 parent 80 0 no-query originserver name=ocsapp-peer
cache_peer 172.22.66.206 parent 80 0 no-query originserver name=ocsinf-peer
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
maximum_object_size 0 KB
access_log /var/log/squid/access.log squid
url_rewrite_program /usr/local/bin/rewrite-http
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl sites_cmaxx-app dstdomain emr.bryanlgh.org cmaxx-app.bryanlgh.org
acl sites_docs dstdomain docs.bryanlgh.org
acl sites_ocsapp dstdomain ocsapp.bryanlgh.org
acl sites_ocsinf dstdomain ocsinf.bryanlgh.org
acl webserver dst 172.26.6.159 192.168.2.65 172.22.66.208 172.22.66.206
192.168.2.64 172.22.65.21
http_access allow webserver
miss_access allow webserver
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_peer_access cmaxx-app-peer allow sites_cmaxx-app
cache_peer_access docs-peer allow sites_docs
cache_peer_access ocsapp-peer allow sites_ocsapp
cache_peer_access ocsinf-peer allow sites_ocsinf
cache_mgr systems@bryanlgh.org
coredump_dir /var/spool/squid

/var/log/squid/access_log:

1204578261.272 226 209.50.21.242 TCP_MISS/401 859 GET
https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html
1204578308.668 620 209.50.21.242 TCP_MISS/401 859 GET
https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html
1204578567.765 707 209.50.21.242 TCP_MISS/401 859 GET
https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html
1204578646.323 262 209.50.21.242 TCP_MISS/401 859 GET
https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html
1204578807.803 736 209.50.21.242 TCP_MISS/401 859 GET
https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html
1204578834.523 37 209.50.21.242 TCP_MISS/401 859 GET
https://docs.bryanlgh.org/ - FIRST_UP_PARENT/172.22.65.2 text/html

Apache access_log on docs web server:

198.203.245.64 - - [03/Mar/2008:15:09:27 -0600] "GET / HTTP/1.0" 401 484
"-" "Lynx/2.8.6rel.4 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/1.6.3"
198.203.245.64 - - [03/Mar/2008:15:10:46 -0600] "GET / HTTP/1.0" 401 484
"-" "Lynx/2.8.6rel.4 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/1.6.3"
198.203.245.64 - - [03/Mar/2008:15:13:27 -0600] "GET / HTTP/1.0" 401 484
"-" "Lynx/2.8.6rel.4 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/1.6.3"
198.203.245.64 - - [03/Mar/2008:15:13:54 -0600] "GET / HTTP/1.0" 401 484
"-" "Lynx/2.8.6rel.4 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/1.6.3"

Shell output from the "lynx" text-based web browser (after prompting
once for user/pwd):

> lynx https://docs.bryanlgh.org
Alert!: Unable to access document.
Looking up docs.bryanlgh.org
Making HTTPS connection to docs.bryanlgh.org
Verified connection to docs.bryanlgh.org (cert=*.bryanlgh.org)
Secure 128-bit TLS 1.0 (RSA_AES_128_CBC_SHA1) HTTP connection
Sending HTTP request.
HTTP request sent; waiting for response.
Alert!: Access without authorization denied -- retrying
Retrying with access authorization information.
Looking up docs.bryanlgh.org
Making HTTPS connection to docs.bryanlgh.org
Verified connection to docs.bryanlgh.org (cert=*.bryanlgh.org)
Secure 128-bit TLS 1.0 (RSA_AES_128_CBC_SHA1) HTTP connection
Sending HTTP request.
HTTP request sent; waiting for response.
Can't Access `https://docs.bryanlgh.org/'
Alert!: Unable to access document.
lynx: Can't access startfile

text/x-vcard attachment: ben_hollingsworth.vcf

Received on Tue Mar 04 2008 - 09:18:58 MST

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:04 MDT