Re: [squid-users] Squid Reverse Proxy issue

From: Chris Robertson <crobertson_at_gci.net>
Date: Tue, 28 Jul 2009 11:18:17 -0800

Eric Van Steenbergen wrote:
> Hello,
>
> I've setup successfully a Squid Reverse Proxy using the [B]How To Set
> Up A Caching Reverse Proxy With Squid 2.6[/B] although with some
> differences. I installed Squid 3 stable 16 on a Debian 5.0 Lenny
> server. I also installed it with SSL support, created my own
> self-signed wildcard certificate, LDAP authentication against our
> domain and everything.
>
> Everything is working fine, http, https, the certificate, ... but...
>
> I have like 6 http intranet sites and 1 https intranet site. I can
> successfully connect to the http sites using http://site1.domain.com
> but it also accepts https://site1.domain.com. The same, reverse, is
> true for the https site. I connect to https://sslsite.domain.com
> accept the exception for the certificate and get connected. But also
> using http://sslsite.domain.com I get connected to that site.
>
> 1. How do I have to change my configuration so that the https site is
> only accessible using https connection, dropping all that try to
> connect to that site using http?
>

Yes. You can deny, or redirect non-secure requests for a specific domain.

> 2. When I use https://site1.domain.com to connect to a http site,
> after authentication it changes the url to http://site1.domain.com.
> Does this mean that Squid detects that the destination site is a http
> site and changes the URL accordingly?

Not likely. You can perform the SSL termination on the Squid side and
have a non-secure channel between Squid and the back end. More likely
is the authentication method returns a non-secure URL.

> If this is true would my problem be solved by only accepting https connections?
>
> Here's my squid config. I really hope someone can help me out.
> [CODE]
> cache_mgr root
> # Basic parameters
> visible_hostname www.domain.com
> auth_param basic realm Domain Security Portal
>
> # This line indicates the server we will be proxying for
> http_port 80 defaultsite=www.domain.com vhost
>
> # And the IP Address for it - adjust the IP and port if necessary
> cache_peer XXX.XXX.XXX.73 parent 80 0 no-query originserver name=site1
> acl site_site1 dstdomain site1.domain.com
> cache_peer_access site1 allow site_site1
>
> cache_peer XXX.XXX.XXX.27 parent 80 0 no-query originserver name=site2
> acl site_site2 dstdomain site2.domain.com
> cache_peer_access site allow site_site2
>
> cache_peer XXX.XXX.XXX.21 parent 80 0 no-query originserver name=site3
> acl site_site3 dstdomain site3.domain.com
> cache_peer_access site3 allow site_site3
>
> cache_peer localhost parent 8080 0 no-query originserver name=acidbase
> acl site_acidbase dstdomain acidbase.domain.com
> cache_peer_access acidbase allow site_acidbase
>
> https_port XXX.XXX.XXX.78:443 accel cert=/etc/ssl/domaincert.pem
> key=/etc/ssl/domainkey.pem cafile=/etc/ssl/CA/cacert.pem
> defaultsite=sslsite.domain.com vhost protocol=https
> forwarded_for on
>

## If you want ONLY sslsite.domain.com to be accessed on the secure
channel, drop the "vhost" option to https_port. ##

> cache_peer XXX.XXX.XXX.84 parent 19080 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER front-end-https=on name=sslsite
> acl site_sslsite dstdomain sslsite.domain.com
> cache_peer_access sslsite allow site_sslsite
> acl https proto https
>
> acl apache rep_header Server ^Apache
>
> # Where the cache files will be, memory and such
> cache_dir ufs /var/spool/squid3 10000 16 256
> cache_mem 256 MB
> maximum_object_size_in_memory 128 KB
>
> # Log locations and format
> #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
>
> access_log /var/log/squid3/access.log combined
>
> cache_log /var/log/squid3/cache.log
> cache_store_log /var/log/squid3/store.log
> logfile_rotate 10
>
> hosts_file /etc/hosts
>
> # Basic ACLs
> # acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 # https
> acl Safe_ports port 80
> acl Safe_ports port 443
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> auth_param basic program /lib/squid3/squid_ldap_auth -R -b
> "dc=domain,dc=com" -D "cn=ldapuser,cn=Users,dc=domain,dc=com" -w
> "password" -f sAMAccountName=%s -h ldapserver
> auth_param basic children 5
> acl ldap_users proxy_auth REQUIRED
>
> #
> # Add this at the top of the http_access section of squid.conf
> #
>

# Disallow non-secure connections to sslsite.domain.com
http_access deny site_sslsite !CONNECT !SSL_ports

#Disallow secure connections for any other domain
http_access deny !site_sslsite CONNECT SSL_ports

> http_access allow ldap_users
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access allow localhost
> http_access allow all
>

# Authenticated users are allowed to perform management functions, purge
objects from the cache and connect to your Squid server on ports other
than 80 and 443. Non authenticated users are not prohibited from
accessing your sites (they are just prohibited from performing
management functions, purging cache objects and connecting to ports 80
and 443). Anyone can use the CONNECT method on either port 80 or 443,
which allows tunneling traffic past your proxy.

> http_access allow all
> http_reply_access allow all
>
> icp_access allow all
>
> cache_effective_group proxy
>
> coredump_dir /var/spool/squid3
>
> emulate_httpd_log on
>
> redirect_rewrites_host_header off
>
> buffered_logs on
>
> # Do not cache cgi-bin, ? urls, posts, etc.
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> acl POST method POST
> no_cache deny QUERY
> no_cache deny POST
> [/CODE]
>
> Kind regards,
>
> Eric
>

Chris
Received on Tue Jul 28 2009 - 19:18:32 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 29 2009 - 12:00:05 MDT