Re: [squid-users] Squid 3.2, reverse proxy, deny_info http/https redirect problems. from Amos Jeffries on 2012-03-22 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 23 Mar 2012 15:59:33 +1300

On 23/03/2012 4:30 a.m., Cliff Hill wrote:
> Yes, my config used to have the "vhost" defined in it, however with
> 3.2, I found out it wasn't needed any more, so I cleared it up, in an
> effort to figure out what is going on.

Okay that makes sense.

>
> I guess I need to show the whole config. I'll also note I am using it
> as a reverse proxy, as well as a transparent proxy for my local
> network's access to the internet, with caching. I have it using
> squidGuard for some things, and I used to tie in squidclamav as an
> icap service, however it caused a massive performance hit on page
> loading times, so I disabled it, but still have some configuration
> directives in place that are for icap.

Is it the reverse-proxy or intercepted traffic which is hanging on
https:// ?

I can't see anything obvious in the config which would cause that.

It might be related to what squidguard is doing, or to SSL negotiation
issues, or even packet delivery issues.

>
> I will gladly admit that I'm not extremely proficient in how the
> config file should work, I'm mostly just scouring through the
> squid-cache wiki, and anything I can Google to figure out what I need.
> However, there is very little I'm finding with regards to my current
> problem.
>
> Here's my config file in its entirety:
> ---------------------------------------------------------------------------------------------------------------
>
> # SQUID 3.2.0.16
> # --------------
>
> http_port 80 accel defaultsite=darkhelm.org
>
> https_port 443 cert=/home/darkhelm/keys/CertAuth/maincert.cert
> key=/home/darkhelm/keys/CertAuth/mainkey.pem accel
> defaultsite=darkhelm.org
>
> redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
>
> # Security ACL, force username/password login. See music below.
> auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl ncsa_users proxy_auth REQUIRED

Small trick specific to 3.2 which you can add right after the auth:

   acl HTTPS proto HTTPS
   acl requireHTTPS dstdomain .darkhelm.org
   http_access deny !HTTPS requireHTTPS
   deny_info 307:https://%H%R requireHTTPS

That takes care of all the http->https redirection in one quick check
regardless of what URL was requested.

You can then drop the regex and simplify down to the more normal
dstdomain ACLs in your reverse-proxy config.

Amos
Received on Fri Mar 23 2012 - 02:59:45 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 23 2012 - 12:00:04 MDT