Re: [squid-users] Struggling to get https reverse proxy to work - no object data received

From: Nico Snyman <snyman.nico_at_gmail.com>
Date: Wed, 14 May 2014 18:28:00 +0200

Apologies, this does actually seem to work perfectly fine for a
"normal" site, but does not like CDN hosted sites - I am cool with
that.

Last question though - how do I stop host headers from being
forwarded? Should I set act_as_origin? Or use defaultsite?

Thanks!

On Wed, May 14, 2014 at 6:27 PM, Nico Snyman <snyman.nico_at_gmail.com> wrote:
> Apologies, this does actually seem to work perfectly fine for a "normal"
> site, but does not like CDN hosted sites - I am cool with that.
>
> Last question though - how do I stop host headers from being forwarded?
> Should I set act_as_origin? Or use defaultsite?
>
> Thanks!
> Nico
>
>
> On Wed, May 14, 2014 at 5:44 PM, Nico Snyman <snyman.nico_at_gmail.com> wrote:
>> Hi Amos,
>>
>> (apologies for being very verbose - hoping that my poor efforts can
>> help someone else once it ends up in the archives)
>>
>> To make sure not to muddle things up - I have removed the https bits for
>> now.
>>
>> Also to make clear what is what, I have done the following (using fake
>> "outside" domain localhost.com)
>>
>> 1. added localhost.com pointing to loopback in hosts on the squid host
>> 2. added localhost.com in hosts of the connecting PC (browser PC),
>> pointing to squid host
>>
>> I have then adjusted my squid.conf to read as follows:
>>
>> ...
>> http_port 80 accel defaultsite=localhost.com
>> cache_peer google.com parent 80 0 no-query no-digest originserver
>> name=myAccel1
>> acl our_sites dstdomain localhost.com
>> http_access allow our_sites
>> cache_peer_access myAccel1 allow our_sites
>> ...
>>
>> Browser connects to localhost.com:80, and Squid fetches data from
>> google.com and present is as if it was content from localhost.com -
>> and this works perfectly as expected.
>>
>> Now, if I want to do the same, but use SSL. My squid.conf now looks like
>> this:
>>
>> ...
>> https_port 443 accel cert=/etc/squid3/squid.crt
>> key=/etc/squid3/squid.key defaultsite=localhost.com
>> cache_peer google.com parent 443 0 no-query no-digest originserver ssl
>> sslflags=DONT_VERIFY_PEER name=myAccel
>> acl our_sites dstdomain localhost.com
>>
>> http_access allow our_sites
>> cache_peer_access myAccel allow our_site
>> ...
>>
>> This does not work, I get in access.log:
>> 127.0.0.1 TCP_MISS_ABORTED/000 0 GET https://localhost.com/ -
>> FIRSTUP_PARENT/xxx.xxx.xxx.xxx -
>>
>> (Note the xxx above are substitudes for a real IP, I am not *actually*
>> using google.com)
>>
>> I think I am missing something rather obvious here - and I think it
>> might have something to do with the parent cert?
>>
>> Any ideas please?
>>
>> Thanks!
>>
>> On Tue, May 13, 2014 at 6:53 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>> On 14/05/2014 4:34 a.m., Nico Snyman wrote:
>>>> Hi guys,
>>>>
>>>> I am trying to set up an https reverse proxy to cache and proxy a data
>>>> feed from a 3rd party.
>>>>
>>>> At the moment, as a POC inside a VirtualBox VM, I am simply trying to
>>>> reverse proxy https://localhost to fetch https://www.google.com (or
>>>> any other https site).
>>>>
>>>
>>> The Right Way(tm) to test is with hosts file entry standing in for
>>> public DNS.
>>>
>>> /etc/hosts:
>>> 127.0.0.1 google.com
>>>
>>> ... and making sure the proxy configuration is correct ...
>>>
>>> /etc/squid/squid.conf:
>>> ...
>>> https_port 443 accel defaultsite=google.com cert=...
>>> http_port 80 accel defaultsite=google.com
>>> ...
>>> cache_peer google.com parent 443 0 originserver ssl ...
>>> ...
>>> acl our_sites dstdomain google.com
>>> acl port443 myportname 443
>>> acl port80 myportname 80
>>> cache_peer_access myAccel allow port443 our_sites
>>> cache_peer_access myAccel1 allow port80 our_sites
>>> http_access allow our_sites
>>> http_access deny all
>>> ...
>>>
>>>
>>>
>>>> Unfortunately, I consistently get the following:
>>>>
>>>> kid1| TCP connection to www.google.com/443 failed
>>>> kid1| WARNING: HTTP: Invalid response: No object data received for
>>>> https://localhost/ AKA localhost/
>>>>
>>>> In a browser this is a "Zero Sized Reply" message.
>>>>
>>>> My squid.conf as follows:
>>>>
>>>> acl SSL_ports port 443
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 # https
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl CONNECT method CONNECT
>>>> https_port 443 accel cert=/etc/squid3/squid.crt
>>>> key=/etc/squid3/squid.key defaultsite=localhost
>>>> http_port 80 accel defaultsite=localhost
>>>> cache_peer www.google.com parent 443 0 no-query no-digest originserver
>>>> name=myAccel
>>>> cache_peer www.google.com parent 80 0 no-query no-digest originserver
>>>> name=myAccel1
>>>> acl our_sites dstdomain localhost
>>>> http_access allow our_sites
>>>> cache_peer_access myAccel allow our_sites
>>>> cache_peer_access myAccel1 allow our_sites
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow localhost manager
>>>> http_access deny manager
>>>> http_access allow localhost
>>>> http_access deny all
>>>> access_log daemon:/squid3_logs/access.log squid
>>>> cache_store_log daemon:/squid3_logs/store.log
>>>> cache_log /squid3_logs/cache.log
>>>> coredump_dir /var/spool/squid3
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
>>>> refresh_pattern . 0 20% 4320
>>>>
>>>> Anybody have any ideas? I for the life of me cannot figure it out, and
>>>> haven't been able to find relevant help in the archives.
>>>>
>>>> Squid version: squid3-3.3.8
>>>> Ubuntu 13.10 inside Virtualbox 4.3.6
>>>>
>>>>
>>>>
>>>> Thank you!
>>>>
>>>
>
Received on Wed May 14 2014 - 16:28:07 MDT

This archive was generated by hypermail 2.2.0 : Thu May 15 2014 - 12:00:09 MDT