Re: [squid-users] Squid Reverse Proxy w/ SSL and IIS Server - Auth problems

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 02 Jul 2008 01:02:38 +1200

Garry wrote:
> Amos Jeffries wrote:
>> Garry wrote:
>>> Hi,
>>>
>>> we have a problem with a (it would originally seem) rather simple
>>> setup ...
>>>
>>> A server is running 2.6.(20), multiple SSL certs take care of
>>> incoming connections on different ports for multiple servers. Servers
>>> are then referenced through a local redirect which replaces the
>>> original names sent to Squid with the internal HTTP addresses and
>>> ports. So far, everything works fine.
>>>
>>> Anyway, the problem begins with the authentication. While the auth
>>> works fine for anything like IE, Firefox, Opera and the likes on
>>> regular PCs, authentication itself works when someone connects using
>>> a mobile client (Windows Mobile), but as soon as not a get but a post
>>> is issued accessing any forms on the IIS app, the user auth isn't
>>> sent anymore, so all I get is the 401 ...
>>>
>>> I think I've read something on the net sometime somewhere, where a
>>> patch/change in the source would be required to correctly hand
>>> through auth requests from that crappy IIS ... but after many google
>>> searches, I just can't seem to find anything sufficient ...
>>>
>>> Any help appreciated ...
>>
>> Add "login=PASS" (exact text) to the cache_peer lines which redirect
>> traffic to IIS.
> I do not have any active cache_peer lines ... could that be the problem?

Part of it yes. It's much better to make the primary web servers accept
their domain names (if they even need to care) and use cache_peer to do
the redirection with minimal alteration to the request.

That gets around a whole host of problems like this truncating of the
Auth headers, but also including port, and cookie re-writing, etc.

The only time you really need redirect in squid is when sub-directories
etc are being cut out or altered. That adds a whole set of problems by
itself.

> Squid operates solely as reverse proxy/accelerator, with many lines like
> these:
>
> http_port some.ip.address:80 accel defaultsite=www.doma.in
> https_port some.ip.address:443 cert=/etc/ssl/... key=/etc/ssl/... accel
> defaultsite=www.doma.in
>
> and:
>
> url_rewrite_program /usr/bin/redirect.pl
>
> with redirect.pl rebuilding the destination URLs ... (from e.g.
> https://www.doma.in/... into http://192.168.99.11/ )
>
>
> As mentioned, the current setup works fine unless you use that crappy
> Win Mobile w/ Mobile IE (or whatever is on them things). I'm waiting for
> answer on whether Opera would work ...
>
> One more thing: Querying the http version will work with the same mobile
> devices! Even though I see the same 401 messages, but followed with
> correct queries ...
>
> -gg

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Received on Tue Jul 01 2008 - 13:02:41 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 01 2008 - 12:00:05 MDT