Re: [squid-users] forward and reverse proxy in 3.1.x https forward proxy failing

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 01 Nov 2010 20:56:38 +0000

On Mon, 1 Nov 2010 12:41:44 -0500, "Dean Weimer" <dweimer_at_orscheln.com>
wrote:
> I had an older machine that was still running 3.0 STABLE 12, that was
> functioning as a forward and reverse proxy using port 80 for both. And
a
> reverse proxy for one site on Port 443, the machine sits in a DMZ the
> forward proxy only directs about to web sites for machines connected
> through WAN connections, and functions as a reverse proxy for those
> machines when connecting to a couple internal sites. This machine had a
> hardware failure last night and I was forced to put in place the newer
> machine that had already had the software installed but wasn't
configured
> or tested yet.
>
> The problem I am having is that this machine running squid 3.1.9
functions
> fine as both forward and reverse for http websites, and is working for
the
> reverse HTTPS site, though I had to use the sslproxy_cert_error acl
method
> to bypass a cert error, even though the cert is valid, it's not
accepting
> it. That's a minor problem though, as its functioning. The more
pressing
> problem is that HTTPS forward proxy is not working, the logs show an
error
> every time stating a connect method was received on an accelerator port.
>
> 2010/11/01 12:26:43| clientProcessRequest: Invalid Request
> 2010/11/01 12:26:44| WARNING: CONNECT method received on http
Accelerator
> port 80
> 2010/11/01 12:26:44| WARNING: for request: CONNECT armmf.adobe.com:443
> HTTP/1.0
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
> 1.1.4322)
> Host: armmf.adobe.com
> Content-Length: 0
> Proxy-Connection: Keep-Alive
> Pragma: no-cache
>
> Is using the same port for both forward of http & https not allowed
while
> using it for a reverse proxy anymore?

It's never been allowed. The ability in older Squid was a bug.
You will need a separate http_port line for the two modes if you want
CONNECT tunnels.

It's a good idea to keep each of the four modes (forward, reverse,
intercept and transparent) on separate http_port. From 3.1 onwards this is
being enforced where possible.

Amos
Received on Mon Nov 01 2010 - 20:56:42 MDT

This archive was generated by hypermail 2.2.0 : Tue Nov 02 2010 - 12:00:02 MDT