RE: [squid-users] forward and reverse proxy in 3.1.x https forward proxy failing

From: Dean Weimer <dweimer_at_orscheln.com>
Date: Mon, 1 Nov 2010 16:20:55 -0500

> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Monday, November 01, 2010 3:57 PM
> To: Dean Weimer
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] forward and reverse proxy in 3.1.x https forward
> proxy failing
>
> On Mon, 1 Nov 2010 12:41:44 -0500, "Dean Weimer" <dweimer_at_orscheln.com>
> wrote:
> > I had an older machine that was still running 3.0 STABLE 12, that was
> > functioning as a forward and reverse proxy using port 80 for both. And
> a
> > reverse proxy for one site on Port 443, the machine sits in a DMZ the
> > forward proxy only directs about to web sites for machines connected
> > through WAN connections, and functions as a reverse proxy for those
> > machines when connecting to a couple internal sites. This machine had a
> > hardware failure last night and I was forced to put in place the newer
> > machine that had already had the software installed but wasn't
> configured
> > or tested yet.
> >
> > The problem I am having is that this machine running squid 3.1.9
> functions
> > fine as both forward and reverse for http websites, and is working for
> the
> > reverse HTTPS site, though I had to use the sslproxy_cert_error acl
> method
> > to bypass a cert error, even though the cert is valid, it's not
> accepting
> > it. That's a minor problem though, as its functioning. The more
> pressing
> > problem is that HTTPS forward proxy is not working, the logs show an
> error
> > every time stating a connect method was received on an accelerator port.
> >
> > 2010/11/01 12:26:43| clientProcessRequest: Invalid Request
> > 2010/11/01 12:26:44| WARNING: CONNECT method received on http
> Accelerator
> > port 80
> > 2010/11/01 12:26:44| WARNING: for request: CONNECT armmf.adobe.com:443
> > HTTP/1.0
> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
> > 1.1.4322)
> > Host: armmf.adobe.com
> > Content-Length: 0
> > Proxy-Connection: Keep-Alive
> > Pragma: no-cache
> >
> > Is using the same port for both forward of http & https not allowed
> while
> > using it for a reverse proxy anymore?
>
> It's never been allowed. The ability in older Squid was a bug.
> You will need a separate http_port line for the two modes if you want
> CONNECT tunnels.
>
> It's a good idea to keep each of the four modes (forward, reverse,
> intercept and transparent) on separate http_port. From 3.1 onwards this is
> being enforced where possible.
>
> Amos

Thanks for the reply Amos, I had came to that conclusion myself, about it not working anyways, didn't realize it was a bug that allowed it in the old version though. I have already configured an additional port and verified that worked shortly after sending the first post. The majority of our PCs browsers are set to use a configuration script, and that has been corrected with the new port. We have one application that has it in an INI file which will be delivered in our nightly polling process. Now we just have to find the machines that are incorrectly set with a manual proxy setting and have them updated.

Thanks,
     Dean Weimer
     Network Administrator
     Orscheln Management Co
Received on Mon Nov 01 2010 - 21:21:45 MDT

This archive was generated by hypermail 2.2.0 : Tue Nov 02 2010 - 12:00:02 MDT