On 8/10/2013 3:01 a.m., IggyDolby wrote:
> Hi I'm a Squid newbie and need to configure Squid to proxy HTTP and HTTPS
> (Tunnel) requests from external users on Browsers and iPads and resolve to
> an IP address were the DNS has not been switched yet.
> We can manually change the iPads proxy configuration to point to this proxy.
> The site has a Browser popup authentication on the first redirect from HTTP
> to HTTPS.
> I never see the browser popup....
> I am able to configure Squid properly I believe for HTTP proxy
>
> But when I request and HTTPS page I get this error:
>
> 1381116961.902 0 xxx.xxx.xx NONE/400 3841 CONNECT
> error:method-not-allowed - NONE/- text/html
>
> On an HTTP request I actually get the page:
> 1381116975.786 60 xxx.xxx.xx TCP_MISS/200 551 GET
> http://m.xxxxxxx.com/healthcheck/healthcheck.html - FIRST_UP_PARENT/myAccel
> text/html
>
>
> This is my squid.conf
<snip>
> acl our_sites dstdomain m.xxxxx.com
> http_access allow our_sites
> cache_peer xx.xx.xx.xx parent 80 0 no-query originserver name=myAccel
> cache_peer_access myAccel allow our_sites
> cache_peer_access myAccel deny all
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> #http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
>
> http_port 80 defaultsite=m.xxxxx.com
The defaultsite= parameter implies "accel" mode (reverse-proxy). CONNECT
is a HTTP method reserved for use between a client and a proxy. It is
not permitted to be used directly on origin servers or reverse-proxy.
Thus the 400.
If I am understanding your requirements description properly what you
need can be served by the default Squid configuration with a cache_peer.
So:
* change http_port back to 3128 and remove the defaultsite= option.
* configure your browser and clients to use port 3128 instead of port 80
for the proxy.
Your test should start working with just those changes.
Regarding the never_direct rule and "our_sites" ACL. You may or may not
want to use them. This is what they will do for your:
* "never_direct allow all" will force all traffic through this proxy to
use the cache_peer.
* the http_access and cache_peer_access use of our_sites restricts
acceptible traffic to only the domains listed in our_sites. Any other
requests will get rejected with a CANNOT_FORWARD error.
Amos
Received on Tue Oct 08 2013 - 02:17:49 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 08 2013 - 12:00:21 MDT