We're all convinced the problem is on the application side.
However, the problem only appears when using a proxy.
Thanks for your reply.
-- 2002-08-12 06:30 AM Markus.Rietzler@rzf.fin-nrw.de wrote: are you sure, that the server doesn't change the ip/domain while doing some kind of redirect?`what does the access.log of squid (and the server's one) tell you? normally squid doesn't switch back to ip-adresses while retrieving a website. it could be a redirect that the web-server performs, such like http://domain/foo -> http://123.45.67.89/foo/ (watch the trailing slash)... Markus Rietzler * <rietzler=5Fsoftware/> * RZF NRW * Tel: 0211.4572-130 -----Urspr=FCngliche Nachricht----- Von: Francois.J.Perreault@vmd.desjardins.com [mailto:Francois.J.Perreault@vmd.desjardins.com] Gesendet am: Samstag, 10. August 2002 00:15 An: squid-users@squid-cache.org Betreff: [squid-users] Cookies and/or URLs becoming IP addresses when using proxy with SSL IE Browser (5 and 6) is set to use a proxy (Squid and Apache) and accesses an SSL site in development. Eventually (about 4 or 5 clicks), the site's main cookie which came from the site's domain name, will now appear to come from an IP address, thus not being the same cookie to the browser. This brakes the SSL session and everything is then requested using http (not https) and most often by refering to the IP address and not the proper domain name URL. Needless to say the site stops working. Removal of the proxy settings in the browser (assuming the station is permitted through by the firewall) and the bug goes away. Considering how the proxy is merely tunneling the SSL session, how can the cookie (or URL) get poisonned like that? -- Squid Config: #acl all src 0.0.0.0/0.0.0.0 acl manager proto cache=5Fobject acl localhost src 127.0.0.1/255.255.255.255 acl SSL=5Fports port 443 563 8080 8000 acl Safe=5Fports port 80 21 443 563 70 210 1025-65535 acl Safe=5Fports port 280 # http-mgmt acl Safe=5Fports port 488 # gss-http acl Safe=5Fports port 591 # filemaker acl Safe=5Fports port 777 # multiling http acl CONNECT method CONNECT acl badlangblock url=5Fregex -i "/etc/squid/badlang.block.txt" acl badlangunblock url=5Fregex -i "/etc/squid/badlang.unblock.txt" acl entertainblock url=5Fregex -i "/etc/squid/entertain.block.txt" acl entertainunblock url=5Fregex -i "/etc/squid/entertain.unblock.txt" acl gamesblock url=5Fregex -i "/etc/squid/games.block.txt" acl gamesunblock url=5Fregex -i "/etc/squid/games.unblock.txt" acl pirateblock url=5Fregex -i "/etc/squid/pirate.block.txt" acl pornblock url=5Fregex -i "/etc/squid/porn.block.txt" acl pornunblock url=5Fregex -i "/etc/squid/porn.unblock.txt" acl limiteddeny url=5Fregex -i "/etc/squid/limited.deny.txt" acl limitedallow url=5Fregex -i "/etc/squid/limited.allow.txt" acl allowsimpleurl urlpath=5Fregex -i "/etc/squid/allow=5Fsimpleurl.txt" http=5Faccess allow manager localhost http=5Faccess deny manager http=5Faccess deny !Safe=5Fports http=5Faccess deny CONNECT !SSL=5Fports http=5Faccess allow localhost http=5Faccess deny badlangblock !badlangunblock http=5Faccess deny entertainblock !entertainunblock http=5Faccess deny gamesblock !gamesunblock http=5Faccess deny pirateblock http=5Faccess deny pornblock !pornunblock http=5Faccess deny limiteddeny #http=5Faccess allow limitedallow #http=5Faccess allow allowsimpleurl #http=5Faccess allow CONNECT SSL=5Fports #http=5Faccess deny all http=5Faccess allow allReceived on Mon Aug 12 2002 - 09:14:32 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:36 MST