RE: [squid-users] RE: reverse proxy problem from Amos Jeffries on 2009-05-26 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 27 May 2009 10:42:12 +1200 (NZST)

> Hi amos,
>
>
> Even after adding the suggested line it still don't work
>
>
> When i try to login I doesn't work in the log I see this messages:
>
> 1243318420.671 62 84.245.31.147 TCP_MISS/302 342 POST
> https://extranet.dikkenberg.net/tas/secure/j_security_check;jsessionid=7
> zzBU3-8Cqw1-CdYVB2 - FIRST_UP_PARENT/q-services -
>
>
> When try the same thing but internally it works, is it possebol the
> website still try's
> to communicate directly with the client?
>
> Our network scheme looks like this:
>
>
> Webaplication -- DMZ > squid reverse proxy -- internet> client on the
> web

This is backwards for how HTTP works.
The _client_ initiates most connections so the proper way to model it is:
Client->Squid->WebApp

If the WebApp makes outbound connects back to the client on its own things
get very sticky.
I think its much more likely the WebApp is writing absolute URLs in its
pages. That may cause broken links. A quick dump of the response web
sources will show if thats the case.

Also check that public DNS for all domains the WebApp uses are pointing as
Squid.

If the WebApp uses special ports for anything, make sure Squid is also
listening for random input on those ports and can map them back to the
WebApp properly.

Amos

>
>
> Thanks for the help
>
>
> -----Oorspronkelijk bericht-----
> Van: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Verzonden: dinsdag 26 mei 2009 6:06
> Aan: Bas van den Dikkenberg
> CC: Bas van den Dikkenberg; squid-users_at_squid-cache.org
> Onderwerp: Re: [squid-users] RE: reverse proxy problem
>
>>
>>
>> Hello,
>>
>>
>> I have build squid reverse proxy, for an web application called
> topdesk..
>>
>> At first I get starting page but when I login I get some error's
>>
>> Can some one please help and tell me what is going wrong ??
>>
>> See log and config files below:
>>
>> Squid is version squid-2.7.STABLE6 is running on windows 2003 server.
>>
>>
>> With kind regards,
>>
>>
>> Bas van Den dikkenberg
>>
>>
>>
>> The log file:
>>
>> 1243256982.937 0 84.245.31.147 TCP_MEM_HIT/200 3089 GET
>> https://extranet.dikkenberg.net/tas/css/login.css? - NONE/- text/css
>> 1243256983.015 0 84.245.31.147 TCP_MEM_HIT/200 5305 GET
>> https://extranet.dikkenberg.net/tas/tasimage/login/logo-prof-4.gif -
>> NONE/- image/gif
>> 1243256983.015 0 84.245.31.147 TCP_MEM_HIT/200 5100 GET
>> https://extranet.dikkenberg.net/tas/tasimage/login/login.jpg? - NONE/-
>> image/jpeg
>> 1243256983.031 0 84.245.31.147 TCP_MEM_HIT/200 529 GET
>> https://extranet.dikkenberg.net/tas/tasimage/login/loginbar.gif -
> NONE/-
>> image/gif
>> 1243256983.171 0 84.245.31.147 TCP_MEM_HIT/200 5731 GET
>> https://extranet.dikkenberg.net/favicon.ico - NONE/- -
>> 1243256989.031 16 84.245.31.147 TCP_MISS/302 342 POST
>>
> https://extranet.dikkenberg.net/tas/secure/j_security_check;jsessionid=7
> zzBU3-8Cqw1-erXS02
>> - FIRST_UP_PARENT/q-services -
>> 1243258530.734 16 84.245.31.147 TCP_MISS/302 380 GET
>>
> https://extranet.dikkenberg.net/tas/secure/j_security_check;jsessionid=7
> zzBU3-8Cqw1-erXS02
>> - FIRST_UP_PARENT/q-services -
>>
>
> None of these are errors. They are successful HITS or IMS requests.
> Any error that is occuring amid those requests is likely to be a browser
> failure to handle a URL so it never gets passed to Squid.
>
>
>>
>> My config looks like this:
>>
>> http_port 80 accel defaultsite=extranet.quaere.nl vhost
>> https_port 443 accel defaultsite=extranet.dikkenberg.net vhost
>> cert=C:/squid/etc/extranet.dikkenberg.net.crt
>> key=C:/squid/etc/extranet.dikkenberg.net.key
>> defaultsite=extranet.dikkenberg.net
>>
>>
>> forwarded_for on
>>
>>
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>>
>> cache_peer 192.168.0.55 parent 80 0 no-query no-digest originserver
>> name=q-services login=PASS
>> acl sites_q-services dstdomain extranet.quaere.nl
> extranet.dikkenberg.net
>> acl our_sites2 dstdomain extranet.quaere.nl extranet.dikkenberg.net
>> cache_peer_access q-services allow sites_q-services
>
> Missing:
> http_access allow sites_q-services
>
>>
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>>
>
> ... ah here it is, but with a different name.
> You may as well merge the two ACLs sites_q-services and our_sites2 into
> one name. They are identical.
>
>> http_access allow our_sites2
>> http_access allow manager all
>> http_access allow manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access deny all
>>
>>
>>
>> access_log c:/squid/var/logs/access.log squid
>> cache_mgr support_at_quaere.nl
>>
>>
>>
>>
>
>
>
Received on Tue May 26 2009 - 22:42:26 MDT

This archive was generated by hypermail 2.2.0 : Wed May 27 2009 - 12:00:02 MDT