Visser, Peter (ZGM) wrote:
> Hi,
>
> I am using Squid as a reverse proxy/SSL gateway. Clients can connect with HTTP and HTTPS. All internal connections to the webserver use HTTP. This way the proxy acts as a SSL off loader.
>
> Now an application I use, Roundcube webmail, which has the option of redirecting to HTTPS when using HTTP. But since all connection to webserver all always HTTP the application gets stuck in a loop. Since it will try to redirect and the proxy will undo the redirect.
>
As you say it's an option, one you need to turn off in order to meet
your desire of all squid->server traffic be HTTP-only.
Your Squid has the authoritative info about whether the request was
received over HTTP or HTTPS. Let it send the 302/303 redirect as it
should be.
> I found out that one way to solve this would be to use the x-forwarded-proto field so that the web application can recognize if the client is using SSL or not.
>
Ah, a custom header. One that makes all sorts of claims about the
network security situation. Claims which can't be verified. ie how do
you know it was *your* proxy which added it? and which step of a
multi-hop path across the Internet was the HTTPS one?
Theres a nice thread in the Tomcat developers discussing what to do
about multiple copies, miss-spellings, and the several alternative names
being used. Seems they even have real-life cases of whole sequential
strings of the header being received by web servers.
And some nginx admin(s) going around blaming Squid for this mess.
> Is there a way to get Squid to send this option (besides x-forwarded-for) to the web server? I search on the web but no luck so far.
>
Squid handles it like all unknown non-standard headers: Pass straight
through.
The security implications of allowing this to be trusted are dodgy to
say the least.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1Received on Fri Aug 13 2010 - 14:01:30 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 13 2010 - 12:00:02 MDT