[squid-users] RE: Reverse Proxy Configuration redirects to HTTP rather than HTTPS [NOT PROTECTIVELY MARKED]

From: John Gardner <John.Gardner_at_southtyneside.gov.uk>
Date: Tue, 8 Oct 2013 08:10:16 +0100

This email has been classified as: NOT PROTECTIVELY MARKED

>I wonder if someone can help me out with an issue that has come to light with a new application we are running behind our Squid 2.6 Reverse Proxy >Server.
>At the moment we have a situation shown below;


>For all applications, Traffic comes in on HTTPS (and HTTP as well, but mostly HTTPS) from the Internet, passes through FIREWALL1 and then offloads the >SSL at the REVERSE-PROXY, then the rest of the traffic flows as HTTP through FIREWALL2 and onto the APPLICATION WEB SERVER.

>This works for all of the sites we've been serving for the past two
>years, but for this particular new application, if you connect using
>>https://my.server.com when the app redirects, Squid appears to go to
>http://my.server.com i.e. it does not stay encrypted.  I've found a
>similar problem >in this post using mod_proxy
>ts-to-http-rather-than-https) Can you point me in any direction to
>assist with this solution please?


Thanks for the response. Squid is configured as; http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate

So the exact config is; (All of the specific details have been obfuscated)

https_port cert=cert.crt key=key.pem cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM options=NO_SSLv2 defaultsite=mywebsite3.mydomain.com vhost

cache_peer parent 8080 0 no-query originserver name=server_5

acl sites_server_5 dstdomain my.server.com cache_peer_access server_5 allow sites_server_5

What actually happens is that when the browser goes to https://my.server.com 99% of the site is rendered correctly i.e. it works as it should. There is one link however, which is generated by JavaScript in the application which always comes back as http://my.server.com (not encrypted). I assumed this was an application problem, but the vendor thinks it's Squid, I was hoping I could force this to HTTPS only using something along the lines of;

acl port80 myport 80
http_access deny port80
deny_info https://my.server.com/ port80

Or is this more an application issue which should be fixed by the vendor? Any help is greatly appreciated.



This email and any files transmitted with it are intended solely for the named recipient and may contain sensitive, confidential or protectively marked material up to the central government classification of ?RESTRICTED" which must be handled accordingly. If you have received this e-mail in error, please immediately notify the sender by e-mail and delete from your system, unless you are the named recipient (or authorised to receive it for the recipient) you are not permitted to copy, use, store, publish, disseminate or disclose it to anyone else.

E-mail transmission cannot be guaranteed to be secure or error-free as it could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses and therefore the Council accept no liability for any such errors or omissions.

Unless explicitly stated otherwise views or opinions expressed in this email are solely those of the author and do not necessarily represent those of the Council and are not intended to be legally binding.


All Council network traffic and GCSX traffic may be subject to recording and/or monitoring in accordance with relevant legislation.

South Tyneside Council, Town Hall & Civic Offices, Westoe Road, South Shields, Tyne & Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.info
Received on Tue Oct 08 2013 - 07:10:25 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 09 2013 - 12:00:05 MDT