RE: [squid-users] forward and reverse through one system

From: Alan Lehman <alehman_at_gbateam.com>
Date: Sun, 22 Feb 2009 13:35:29 -0600

> Amos Jeffries wrote:
> > Alan Lehman wrote:
> >>>>>> Specific to your loop-back problem:
> >>>>>>
> >>>>>> You need to adjust your reverse-proxy configuration to block the
> >>>>> CONNECT
> >>>>>> method being used to access the peers.
> >>>>> Sorry, but can you elaborate on this?
> >>>>
> >>>> The "internal net -> forward proxy" step of the chain uses a
> CONNECT
> >>>> request.
> >>>>
> >>>> cache_peer BLAH deny CONNECT
> >>>>
> >>>> is needed to force "internal net -> forward proxy ->
> >>> accelerator(self)"
> >>>> Otherwise requests like "CONNECT owa:443" will be optimized as
> >>>> "internal
> >>>> net -> accelerator -> OWA ". Even though OWA does not handle
> CONNECT.
> >>>>
> >>>> Blocking CONNECT to peer, forces config down to the forward-proxy
> >>>> config
> >>>> which _is_ allowed to do the looping back bit an de-tunneling the
> >>>> CONNECT.
> >>>>
> >>> As far as I can see, cache_peer doesn't allow a deny parameter, so
> I
> >>> tried the following and get "the requested URL cannot be retried".
> At
> >>> least it's not just hanging:
> >>>
> >>> cache_peer blah
> >>>
> >>> acl OWA dstdomain owa.domain.com
> >>> http_access allow OWA
> >>> miss_access allow OWA
> >>> acl CONNECT method CONNECT
> >>> cache_peer_access owa-server deny CONNECT
> >>> cache_peer_access owa-server allow OWA
> >>> never_direct allow OWA
> >>>
> >>> [normal forward proxy config below]
> >>>
> >>> Thanks,
> >>> Alan
> >>
> >> With the configuration above, the logs look like this:
> >> access.log:
> >> 1235235368.181 0 172.16.7.203 TCP_MISS/503 0 CONNECT
> >> owa.domain.com:443 - NONE/- -
> >> 1235235368.428 163 172.16.7.203 TCP_MISS/304 326 GET
> >> http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 -
> >>
> >> cache.log:
> >> -----END SSL SESSION PARAMETERS-----
> >> 2009/02/21 10:56:59| Failed to select source for '[null_entry]'
> >> 2009/02/21 10:56:59| always_direct = 0
> >> 2009/02/21 10:56:59| never_direct = 1
> >> 2009/02/21 10:56:59| timedout = 0
> >>
> >> '[null_entry]' is curious. Shouldn't that be URL for OWA?
> >>
> >> Playing with this same configuration, if I authenticate to OWA first
> >> via another proxy, then switch to this one, it will keep working
> until
> >> I restart the browser.
> >>
> >> Is there some other way to accomplish deny CONNECT?
> >
> > Drop the "never_direct" entry. It's cutting the loopback from
> happening.
>
> No forget that. Add !CONNECT to it instead.
>

Perfect. Thank you!
The apparently-working 3.1.0.5 configuration now looks like this:

#OWA config
https_port blah connection-auth=off
cache_peer blah name=owa-server
acl OWA dstdomain owa.domain.com
http_access allow OWA
miss_access allow OWA
cache_peer_access owa-server allow OWA
cache_peer_access owa-server deny all
acl CONNECT method CONNECT
never_direct allow OWA !CONNECT

#RPC over https config
https_port blah
cache_peer blah name=rpc-server
acl RPC dstdomain rpc.domain.com
http_access allow RPC
miss_access allow RPC
cache_peer_access rpc-server allow RPC
never_direct allow RPC

[normal forward proxy config below]

CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
Received on Sun Feb 22 2009 - 19:35:38 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 23 2009 - 12:00:01 MST