Alan Lehman wrote:
>>>>> Specific to your loop-back problem:
>>>>>
>>>>> You need to adjust your reverse-proxy configuration to block the
>>>> CONNECT
>>>>> method being used to access the peers.
>>>> Sorry, but can you elaborate on this?
>>>
>>> The "internal net -> forward proxy" step of the chain uses a CONNECT
>>> request.
>>>
>>> cache_peer BLAH deny CONNECT
>>>
>>> is needed to force "internal net -> forward proxy ->
>> accelerator(self)"
>>> Otherwise requests like "CONNECT owa:443" will be optimized as
>>> "internal
>>> net -> accelerator -> OWA ". Even though OWA does not handle CONNECT.
>>>
>>> Blocking CONNECT to peer, forces config down to the forward-proxy
>>> config
>>> which _is_ allowed to do the looping back bit an de-tunneling the
>>> CONNECT.
>>>
>> As far as I can see, cache_peer doesn't allow a deny parameter, so I
>> tried the following and get "the requested URL cannot be retried". At
>> least it's not just hanging:
>>
>> cache_peer blah
>>
>> acl OWA dstdomain owa.domain.com
>> http_access allow OWA
>> miss_access allow OWA
>> acl CONNECT method CONNECT
>> cache_peer_access owa-server deny CONNECT
>> cache_peer_access owa-server allow OWA
>> never_direct allow OWA
>>
>> [normal forward proxy config below]
>>
>> Thanks,
>> Alan
>
> With the configuration above, the logs look like this:
> access.log:
> 1235235368.181 0 172.16.7.203 TCP_MISS/503 0 CONNECT owa.domain.com:443 - NONE/- -
> 1235235368.428 163 172.16.7.203 TCP_MISS/304 326 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 -
>
> cache.log:
> -----END SSL SESSION PARAMETERS-----
> 2009/02/21 10:56:59| Failed to select source for '[null_entry]'
> 2009/02/21 10:56:59| always_direct = 0
> 2009/02/21 10:56:59| never_direct = 1
> 2009/02/21 10:56:59| timedout = 0
>
> '[null_entry]' is curious. Shouldn't that be URL for OWA?
>
> Playing with this same configuration, if I authenticate to OWA first via another proxy, then switch to this one, it will keep working until I restart the browser.
>
> Is there some other way to accomplish deny CONNECT?
>
Drop the "never_direct" entry. It's cutting the loopback from happening.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5Received on Sun Feb 22 2009 - 02:00:26 MST
This archive was generated by hypermail 2.2.0 : Sun Feb 22 2009 - 12:00:01 MST