[squid-users] Re : [squid-users] Running squid in both accel and forward mode on the same port

Thank your very much for this answer, Amos. I've tried the suggested settings but it did not solve my problem. The purpose of the config I'm looking for is not to have a reverse proxy allow CONNECT. It is rather to have the proxy server behave like a reverse proxy on GET and POST requests and as a forward proxy, forwarding to localhost or to localnet on CONNECT requests, while receiving these various requests on the same port. This works with Apache. Hence I thought I could find a way to have it work with Squid. Here is the simplified code I use in Apache: <VirtualHost ip-my-virtual-host:port-my-virtual-host> BLABLABLA <IfModule mod_proxy.c> ProxyRequests On <IfModule mod_proxy_connect.c> AllowConnect 22 </IfModule> <ProxyMatch mysshserver.domain.name:22> Allow from authorized-ips Deny from all Order Deny,Allow <ProxyMatch> </IfModule> ProxyPass / http://www.mysite.com </VirtualHost> I thought it might work with Squid if, instead of following the highlighted comment #1 in the example reverse config and placing my reverse proxy http_access directives, I placed the following block lower in the http_access block, hoping that my forward requests would hit a http_access rule before being accelerated. > ################################ > acl our_sites dstdomain www.mysite.com > http_access allow our_sites > cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel > cache_peer_access myAccel allow our_sites > ################################ This did not work either. I guess I will not able to obtain the config I'm looking for without: (i) amending this line: http_port X.X.X.X:80 accel defaultsite=www.mysite.com with an allow-direct option; and (ii) using: (a) allow_direct rule; and (b) a cache directive to avoid replies to be cached (which should address some of your concerns). Thanks. C ----- Message d'origine ---- De : Amos Jeffries <squid3@treenet.co.nz> À : squid-users@squid-cache.org Envoyé le : Mer 18 mai 2011, 4h 25min 26s Objet : Re: [squid-users] Running squid in both accel and forward mode on the same port On Wed, 18 May 2011 01:24:39 +0200, Cedric Lor wrote: > Hi > > I'm running squid Version 2.7.STABLE9 on a FreeBSD. > > I have only one external IP. I'm trying to set up squid so that it > would be running on a single port in accel mode and in foward proxy > mode. This is *highly* unsafe. It opens your network to poisoning attacks as outlined in CVE-2009-0801 Use two http_port's. One for forward and one for reverse traffic. > > The idea is to be able to access other services via the Connect > method on the server, for instances ssh, in order to carry out > maintenance work on the server as necessary while serving, on a > backend server on the loopback. I use proxytunnel on a client machine > to send Connect method and establish a tunnel through Squid to the > local interface. > > When I configure Squid in pure forward proxy, Squid connects to port > 22 works seemlessly. > > However, when I configure Squid to combine reverse and forward, my > client gets the following answer upon connection with Squid: HTTP > return code: 400 Bad Request CONNECT is illegal method in reverse-proxy traffic. The URL provided is incomplete and cannot be used by a reverse-proxy to reconstruct an HTTP request. This is particularly bad when the protocol inside CONNECT is not HTTP anyway. > > I've done this in the past with an Apache server (ProxyRequest On > together with a ProxyPass command) so I'm pretty sure Squid should let > me do it. But I could not find any configuration exemple, whether on > Squid's site or on the internet. mod_proxy operates like a Squid URL re-writer. All the same behaviour and problems. <snip> > - Squid: > --------------------------------------------------------- > acl all src all > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.1/32 Change: acl to_localhost dst 127.0.0.1/32 0.0.0.0/0 > acl to_all dst all > > acl SSL_ports port 80 22 > > acl Safe_ports port 80 # http > acl Safe_ports port 22 # ssh > > acl CONNECT method CONNECT > --------------------------------------------------------- > http_access allow manager localhost > http_access deny manager > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_access allow to_localhost Safe_ports to_localhost is customized to prevent malicious DNS entries allowing attacks to bypass security. The intended use is: http_access deny to_localhost Since you seem not to want that. Remove it completely. > > http_access allow localhost Change that: http-access allow localhost CONNECT > > ################################ NOTE: highlighted comment #1 in the documentation is... * This configuration MUST appear at the top of squid.conf above any other forward-proxy configuration ... Do that. > acl our_sites dstdomain www.mysite.com > http_access allow our_sites > cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel > cache_peer_access myAccel allow our_sites > ################################ > > http_access deny all !to_localhost Change: http_access deny all > --------------------------------------------------------- > icp_access allow localnet > icp_access deny all > > --------------------------------------------------------- > http_port X.X.X.X:80 accel defaultsite=www.mysite.com Amos
Received on Wed May 18 2011 - 11:57:56 MDT