AW: [squid-users] Cookies and/or URLs becoming IP addresses when using proxy with SSL

From: <Markus.Rietzler@dont-contact.us>
Date: Mon, 12 Aug 2002 12:30:54 +0200

are you sure, that the server doesn't change the ip/domain while
doing some kind of redirect?`what does the access.log of squid (and
the server's one) tell you?

normally squid doesn't switch back to ip-adresses while retrieving
a website. it could be a redirect that the web-server performs, such like

        http://domain/foo -> http://123.45.67.89/foo/

(watch the trailing slash)...

Markus Rietzler
* <rietzler_software/>
* RZF NRW
* Tel: 0211.4572-130

-----Ursprüngliche Nachricht-----
Von: Francois.J.Perreault@vmd.desjardins.com
[mailto:Francois.J.Perreault@vmd.desjardins.com]
Gesendet am: Samstag, 10. August 2002 00:15
An: squid-users@squid-cache.org
Betreff: [squid-users] Cookies and/or URLs becoming IP addresses when
using proxy with SSL

IE Browser (5 and 6) is set to use a proxy (Squid and Apache)
and accesses an SSL site in development. Eventually (about
4 or 5 clicks), the site's main cookie which came from the site's
domain name, will now appear to come from an IP address, thus
not being the same cookie to the browser. This brakes the SSL
session and everything is then requested using http (not https)
and most often by refering to the IP address and not the proper
domain name URL. Needless to say the site stops working.

Removal of the proxy settings in the browser (assuming the
station is permitted through by the firewall) and the bug goes
away. Considering how the proxy is merely tunneling the SSL
session, how can the cookie (or URL) get poisonned like that?

--
Squid Config:
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 8080 8000
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl badlangblock url_regex -i "/etc/squid/badlang.block.txt"
acl badlangunblock url_regex -i "/etc/squid/badlang.unblock.txt"
acl entertainblock url_regex -i "/etc/squid/entertain.block.txt"
acl entertainunblock url_regex -i "/etc/squid/entertain.unblock.txt"
acl gamesblock url_regex -i "/etc/squid/games.block.txt"
acl gamesunblock url_regex -i "/etc/squid/games.unblock.txt"
acl pirateblock url_regex -i "/etc/squid/pirate.block.txt"
acl pornblock url_regex -i "/etc/squid/porn.block.txt"
acl pornunblock url_regex -i "/etc/squid/porn.unblock.txt"
acl limiteddeny url_regex -i "/etc/squid/limited.deny.txt"
acl limitedallow url_regex -i "/etc/squid/limited.allow.txt"
acl allowsimpleurl urlpath_regex -i "/etc/squid/allow_simpleurl.txt"
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny badlangblock   !badlangunblock
http_access deny entertainblock !entertainunblock
http_access deny gamesblock     !gamesunblock
http_access deny pirateblock
http_access deny pornblock      !pornunblock
http_access deny limiteddeny
#http_access allow limitedallow
#http_access allow allowsimpleurl
#http_access allow CONNECT SSL_ports
#http_access deny all
http_access allow all
Received on Mon Aug 12 2002 - 04:30:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:35 MST