Re: [squid-users] Squid 3.2, reverse proxy, deny_info http/https redirect problems.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 22 Mar 2012 13:10:53 +1300

On 22.03.2012 12:20, Cliff Hill wrote:
> I'm hoping someone can help me here. I'm a bit stumped. I recently
> upgraded my Squid 3.1 to Squid 3.2.0.16, because I am attempting to
> be
> able to have deny_info with the new URL formatting for my reverse
> proxy configurations so that I can pass whatever someone uses with
> http:// to be transformed automatically into https://.
>
> Anyway, here's the problem I'm having -- after building and deploying
> my squid 3.2 server successfully, I no longer am getting a redirect
> performed at all on my browsers. Without changing the relevant
> components of my squid.conf file from how they worked in 3.1, they
> just aren't working in 3.2 at all.
>
> Here's some details -- squid.conf contains the following:
>
>> http_port 80 accel defaultsite=darkhelm.org
>> ...
>> cache_peer 10.18.75.1 parent 80 0 no-query originserver login=PASS
>> name=xlorep
>> acl sites_xlorep url_regex ^https://xlorep\.darkhelm\.org
>> cache_peer_access xlorep allow sites_xlorep
>> http_access allow sites_xlorep

Equivalent to:
  acl HTTPS proto HTTPS
  acl xlorep dstdomain xlorep.darkhelm.org
  cache_peer_access xlorep allow HTTPS xlorep
  http_access allow HTTPS xlorep

>> acl http_xlorep url_regex ^http://xlorep\.darkhelm\.org
>> http_access deny http_xlorep
>> deny_info https://xlorep.darkhelm.org http_xlorep
>> ...
<snip>

NOTE: both of these regex should never have matched in 3.1. defaultsite
explicitly forces the URI to be "http://darkhelm.org/..." unless you the
vhost option is enabled. It is disabled by default on 3.1 and older.
  3.2 uses HTTP/1.1 where vhost is enabled by default. So the regex ACL
might start operating now as you seem to have intended them to.

>
> I'm running this all on a Debian Squeeze server.
>
> When I telnet to the squid server, and make a get request for
> http://xlorep.darkhelm.org, I get the following:
>
>> root_at_morsh:/etc/squid3# telnet localhost 3128
>> Trying ::1...
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> GET http://xlorep.darkhelm.org

An HTTP "0.9" format request. HTTP validation is not done beyond the
URL parsing.

>> HTTP/1.1 302 Moved Temporarily
>> Server: squid/3.2.0.16
>> Mime-Version: 1.0
>> Date: Wed, 21 Mar 2012 23:14:25 GMT
>> Content-Type: text/html
>> Content-Length: 0
>> Location: https://xlorep.darkhelm.org
>> X-Squid-Error: 403 Access Denied
>> X-Cache: MISS from morsh
>> X-Cache-Lookup: NONE from morsh:80
>> Via: 1.1 morsh (squid/3.2.0.16)
>> Connection: close
>>
>>
>> Connection closed by foreign host.
>
>
> which appears to me to be what I need it to be, a redirect request
> that sends me to the corrected address.

Confirmed. It is working.

>
> However whenever I try to go there with a web browser, it just hangs,
> and never actually gets redirected.
>
> Right now, I just want it to simply redirect http:// to https:// for
> my cache_peers. Can anyone help me?

With the above config...

. The client sends traffic to Squid via port 80. Meaning client<->squid
traffic is plain HTTP.

.. Your access control and deny_info bounces the client to an
"https://" URI.

... The client should then dutifully connect to port 443 (HTTPS).

What happens then? your displayed config does not show.

Amos
Received on Thu Mar 22 2012 - 00:10:58 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 22 2012 - 12:00:03 MDT