Re: [squid-users] forward and reverse through one system

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 22 Feb 2009 15:06:23 +1300

Amos Jeffries wrote:
> Alan Lehman wrote:
>>>>>> Specific to your loop-back problem:
>>>>>>
>>>>>> You need to adjust your reverse-proxy configuration to block the
>>>>> CONNECT
>>>>>> method being used to access the peers.
>>>>> Sorry, but can you elaborate on this?
>>>>
>>>> The "internal net -> forward proxy" step of the chain uses a CONNECT
>>>> request.
>>>>
>>>> cache_peer BLAH deny CONNECT
>>>>
>>>> is needed to force "internal net -> forward proxy ->
>>> accelerator(self)"
>>>> Otherwise requests like "CONNECT owa:443" will be optimized as
>>>> "internal
>>>> net -> accelerator -> OWA ". Even though OWA does not handle CONNECT.
>>>>
>>>> Blocking CONNECT to peer, forces config down to the forward-proxy
>>>> config
>>>> which _is_ allowed to do the looping back bit an de-tunneling the
>>>> CONNECT.
>>>>
>>> As far as I can see, cache_peer doesn't allow a deny parameter, so I
>>> tried the following and get "the requested URL cannot be retried". At
>>> least it's not just hanging:
>>>
>>> cache_peer blah
>>>
>>> acl OWA dstdomain owa.domain.com
>>> http_access allow OWA
>>> miss_access allow OWA
>>> acl CONNECT method CONNECT
>>> cache_peer_access owa-server deny CONNECT
>>> cache_peer_access owa-server allow OWA
>>> never_direct allow OWA
>>>
>>> [normal forward proxy config below]
>>>
>>> Thanks,
>>> Alan
>>
>> With the configuration above, the logs look like this:
>> access.log:
>> 1235235368.181 0 172.16.7.203 TCP_MISS/503 0 CONNECT
>> owa.domain.com:443 - NONE/- -
>> 1235235368.428 163 172.16.7.203 TCP_MISS/304 326 GET
>> http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 -
>>
>> cache.log:
>> -----END SSL SESSION PARAMETERS-----
>> 2009/02/21 10:56:59| Failed to select source for '[null_entry]'
>> 2009/02/21 10:56:59| always_direct = 0
>> 2009/02/21 10:56:59| never_direct = 1
>> 2009/02/21 10:56:59| timedout = 0
>>
>> '[null_entry]' is curious. Shouldn't that be URL for OWA?
>>
>> Playing with this same configuration, if I authenticate to OWA first
>> via another proxy, then switch to this one, it will keep working until
>> I restart the browser.
>>
>> Is there some other way to accomplish deny CONNECT?
>
> Drop the "never_direct" entry. It's cutting the loopback from happening.

No forget that. Add !CONNECT to it instead.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5
Received on Sun Feb 22 2009 - 02:06:07 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 23 2009 - 12:00:01 MST