[squid-users] Redirects changing POST to GET

From: Ben Hollingsworth <ben.hollingsworth@dont-contact.us>
Date: Wed, 23 Jan 2008 11:34:03 -0600

I've setup a reverse proxy running Squid 2.6.STABLE6 5.el5_1.2 on RHEL5.1. All remote access to the proxy is supposed to be via HTTPS, but since some of the protected apps give out absolute URL's at HTTP, I've also setup a redirector that listens on port 80 and sends a 301 redirect back to the client with an HTTPS version of the same URL. My rewrite script is pretty simple:

#!/usr/bin/perl
$|=1;
while (<>) {
        s/^http:/301:https:/;
        print;
}

The problem I'm seeing is that whenever a CGI is called via HTTP with a POST method, it gets converted to GET when the new request comes in on HTTPS. This, of course, breaks the app. Here's a log snippet:

1200950259.294 2 192.168.2.8 TCP_MISS/301 200 POST http://inf.domain.org/pls/orasso/orasso.wwsso_app_admin.ls_logout - NONE/- -
1200950259.396 75 192.168.2.8 TCP_MISS/404 704 GET https://inf.domain.org/pls/orasso/orasso.wwsso_app_admin.ls_logout - FIRST_UP_PAREN
T/172.22.66.206 text/html

When I bypass the proxy, the HTTP POST method works just fine. Any ideas what might be causing the method to change or how to get around this? Every web search I try comes up empty. I'm not sure if the variables are getting dropped in the process, or if the app just doesn't know how to handle GET methods, but regardless, this is a debilitating problem for this app, so I really need a solution. The app in question is Oracle Collaboration Suite 10g, if it makes a difference. My squid.conf follows.

# grep -v "^#" squid.conf | sed -e '/^$/d'
http_port 80 vhost
https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.pem vhost
icp_port 0
cache_peer 172.26.6.159 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=server1-app-peer
cache_peer 172.22.66.208 parent 80 0 no-query originserver name=app-peer
cache_peer 172.22.66.206 parent 80 0 no-query originserver name=inf-peer
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
maximum_object_size 0 KB
access_log /var/log/squid/access.log squid
url_rewrite_program /usr/local/bin/rewrite-http
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl sites_server1-app dstdomain server1b.domain.org server1-app.domain.org
acl sites_app dstdomain app.domain.org
acl sites_inf dstdomain inf.domain.org
acl webserver dst 172.26.6.159 192.168.2.65 172.22.66.208 172.22.66.206
http_access allow webserver
miss_access allow webserver
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_peer_access server1-app-peer allow sites_server1-app
cache_peer_access app-peer allow sites_app
cache_peer_access inf-peer allow sites_inf
cache_mgr systems@domain.org
coredump_dir /var/spool/squid

Received on Wed Jan 23 2008 - 10:35:34 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST