On 11/01/11 02:59, r.cazenave_at_free.fr wrote:
>
> ----- "Amos Jeffries"<squid3_at_treenet.co.nz> wrote:
>
>> On 04/01/11 08:03, r.cazenave_at_free.fr wrote:
>>> Dear all,
>>>
>>> I am facing an issue with Squid configuration for which hopefully
>> you
>>> will be able to help.
>>>
>>> The web server is using http only and is sending redirection (HTTP
>>> messages 302) towards its full URL, as in
>>> http://172.16.28.43:3080/site/redirect_login.do.
>>>
>>> Squid proxy (v3) is configured as reverse proxy to handle only
>> HTTPS
>>> request from clients (actually any other ports than 443 are blocked
>>> by in-between firewall).
>>>
>>> The proxy is working as expected and is correctly handling clients
>>> requests and is replacing in server redirects the IP address:port
>> by
>>> its own address and thus client receives the following:
>>> 302:http://mydomain.com/site/redirect_login.do.
>>
>> ?? Squid v3 is not yet capable of re-writing server redirect responses
>>
>> as you have described. The location_rewrite feature is needing a port
>>
>> from 2.x to 3.x. Do you have a patch to submit to squid-dev mailing
>> list?
>>
> My mistake, it is actually done by the Web server directly, not by Squid.
>
>>>
>>> The remaining issue for which I am seeking help is protocol, I
>> would
>>> like that http:// is translated to https:// by squid proxy. Without
>>> this, the client is then trying to connect to port 80 using http
>>> which is discarded by the firewall. I have tried redirector
>> programs
>>> but it is not working (I suppose it translates only requests from
>>> client).
>>
>> It sounds like a working redirector for you would be writing https://
>> in
>> the URL instead of http://. This is easily fixed by altering whatever
>>
>> redirector you are using for Location: header re-write.
>>
> Can this be done in squid ? (I cannot modify web server)
>>
>> The best way to do redirects in reverse-proxy is with deny_info before
>>
>> the request ever gets to the server. Define a deny_info with https://
>>
>> protocol URL and the client will get that.
>>
>> What I suggest is this at the top of your squid.conf:
>>
>> acl HTTP proto HTTP
>> deny_info https://mydomain.com/site/redirect_login.do HTTP
>> http_access deny HTTP
>>
>>
>> Amos
>
> Thank you Amos for your proposal. It is not completely solving the issue as it
> means I have to open the http port which was rejected before.
So where is the HTTP inbound requests coming from if not from the HTTP port?
NP: "proto" ACL tests the http:// part of URL texts. The request can
actually arrive in any port.
> The remaining problem is also that I have redirects on all my web server pages
> so my next question: is it possible to redirect to a specific page depending on
> the page requested by client ? Meaning that if client requests
> http://mydomain.com/site/menu.do, it is redirected to
> https://mydomain.com/site/menu.do ?
> I tried deny_info https://mydomain.com/site/%R HTTP but %R is not resolved, and
> client tries to connect to https://mydomain.com/site/%R
Yes ... but. To do the macro-based URLs requires squid-3.2 beta software.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4Received on Tue Jan 11 2011 - 01:03:27 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 11 2011 - 12:00:04 MST