RE: [squid-users] forward and reverse through one system

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 9 Feb 2009 10:22:05 +1300 (NZDT)

> Amos,
> See responses to your questions below.
> Thanks.
>
>
>> > I have one instance of squid is configured for forward web proxy and
>> > accelerator for OWA (per the wiki). In order for users to avoid
> changing
>> > their proxy settings, I need the forward proxy to be able to access
> OWA
>> > going out and back in as follows:
>> >
>> > Host on internal net -> forward proxy -> accelerator -> OWA server
> on
>> > internal net
>> >
>> > It seems like this should work. When I try to access OWA from an
>> > internal host, the browser hangs and the following eventually
> appears in
>> > access.log:
>> >
>> > 1233516965.141 12567 [internal host IP] TCP_MISS/000 0 CONNECT
>> > owa.domain.com:443 - FIRST_UP_PARENT/[owa server IP] -
>> >
>> > Any ideas would be most appreciated.
>> >
>> > Thanks,
>> > Alan
>> >
>>
>> (Assuming you have squid-2.6 or later)
>
> 3.1.0.3
>>
>> The basic config:
>>
>> You can multi-mode squid. Ensure that the reverse-proxy settings are
> all
>> at the top of the squid.conf and any forward-proxy settings are
> following
>> at the bottom.
>> Also, the "http_access deny all" detailed to finish the reverse-proxy
>> config gets removed so that on non-reversed requests squid can drop
>> through and run the forward-proxy settings.
>
> Yup. That's the way it is. My complete config is posted on bug 2572.
>>
>> Specific to your loop-back problem:
>>
>> You need to adjust your reverse-proxy configuration to block the
> CONNECT
>> method being used to access the peers.
>
> Sorry, but can you elaborate on this?

The "internal net -> forward proxy" step of the chain uses a CONNECT request.

  cache_peer BLAH deny CONNECT

is needed to force "internal net -> forward proxy -> accelerator(self)"

Otherwise requests like "CONNECT owa:443" will be optimized as "internal
net -> accelerator -> OWA ". Even though OWA does not handle CONNECT.

Blocking CONNECT to peer, forces config down to the forward-proxy config
which _is_ allowed to do the looping back bit an de-tunneling the CONNECT.

>>
>> Then check that the domain IP Squid resolves owa.domain.com to is its
> own
>> listening https_port.
>
> It does: a.b.c.96
>>
>> Amos
>>
>
Received on Sun Feb 08 2009 - 21:22:09 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 16 2009 - 12:00:02 MST