Re: [squid-users] Problem with SSL/Http and Squid in Reverse Proxy

From: Ben Hollingsworth <ben.hollingsworth@dont-contact.us>
Date: Wed, 05 Mar 2008 09:07:47 -0600

Kaddu, Patrick wrote:
> I have set up Squid3 with SSL as a Reverse Proxy, SSL work as expected,
> but when a backendserver have hardcoded links inside a webapplikation
> like http://bla.bla.bla , the url change when the user click on this
> link and you have no more ssl, only http!
>
> Can you force to use only ssl, even if there are hardcoded links inside
> the applikation?
>

We've run into the same problem, and have only partially solved it. For
simple web pages, we setup squid to listen on port 80. We then
configured a rewriter that replaces "http://" in any URL's with
"301:https://" to send a permanent redirect back to the client (see below).

The problem comes with form submissions. The HTTP spec prohibits
clients from changing the URL of POST requests without confirming with
the user (see section 10.3.2 & 10.3.4 of RFC 2616:
http://www.ietf.org/rfc/rfc2616.txt?number=2616 ). Neither IE nor
Firefox bother confirming this, and instead just change the method to
"GET," which drops all the form variables on the floor. In short, form
submissions that hardcode the "http://" won't work using this method.
You can find my thread on this topic in the archives betwen 23 Jan - 1
Feb 2008. I'd love to hear any suggestions around it, as it's a deal
breaker for us on this project.

In squid.conf:
url_rewrite_program /usr/local/bin/rewrite-http

> cat /usr/local/bin/rewrite-http
#!/usr/bin/perl
#
# URL rewriter for squid to convert HTTP requests to HTTPS.
# Return an HTTP permanent redirect back to the browser.
# http://wiki.squid-cache.org/SquidFaq/SquidRedirectors
#
$| = 1;
while (<>) {
        s/^http:/301:https:/; # replace "http" with "https"
        print;
}

Received on Wed Mar 05 2008 - 08:06:46 MST

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:04 MDT