RE: [squid-users] forward and reverse through one system from Alan Lehman on 2009-02-21 (squid-users)

From: Alan Lehman <alehman_at_gbateam.com>
Date: Sat, 21 Feb 2009 13:23:44 -0600

> > >> Specific to your loop-back problem:
> > >>
> > >> You need to adjust your reverse-proxy configuration to block the
> > > CONNECT
> > >> method being used to access the peers.
> > >
> > > Sorry, but can you elaborate on this?
> >
> >
> > The "internal net -> forward proxy" step of the chain uses a CONNECT
> > request.
> >
> > cache_peer BLAH deny CONNECT
> >
> > is needed to force "internal net -> forward proxy ->
> accelerator(self)"
> >
> > Otherwise requests like "CONNECT owa:443" will be optimized as
> > "internal
> > net -> accelerator -> OWA ". Even though OWA does not handle CONNECT.
> >
> > Blocking CONNECT to peer, forces config down to the forward-proxy
> > config
> > which _is_ allowed to do the looping back bit an de-tunneling the
> > CONNECT.
> >
>
> As far as I can see, cache_peer doesn't allow a deny parameter, so I
> tried the following and get "the requested URL cannot be retried". At
> least it's not just hanging:
>
> cache_peer blah
>
> acl OWA dstdomain owa.domain.com
> http_access allow OWA
> miss_access allow OWA
> acl CONNECT method CONNECT
> cache_peer_access owa-server deny CONNECT
> cache_peer_access owa-server allow OWA
> never_direct allow OWA
>
> [normal forward proxy config below]
>
> Thanks,
> Alan

With the configuration above, the logs look like this:
access.log:
1235235368.181 0 172.16.7.203 TCP_MISS/503 0 CONNECT owa.domain.com:443 - NONE/- -
1235235368.428 163 172.16.7.203 TCP_MISS/304 326 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 -

cache.log:
-----END SSL SESSION PARAMETERS-----
2009/02/21 10:56:59| Failed to select source for '[null_entry]'
2009/02/21 10:56:59| always_direct = 0
2009/02/21 10:56:59| never_direct = 1
2009/02/21 10:56:59| timedout = 0

'[null_entry]' is curious. Shouldn't that be URL for OWA?

Playing with this same configuration, if I authenticate to OWA first via another proxy, then switch to this one, it will keep working until I restart the browser.

Is there some other way to accomplish deny CONNECT?

Thanks,
Alan

CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
Received on Sat Feb 21 2009 - 19:23:54 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 22 2009 - 12:00:01 MST