On 04/01/11 08:03, r.cazenave_at_free.fr wrote:
> Dear all,
>
> I am facing an issue with Squid configuration for which hopefully you
> will be able to help.
>
> The web server is using http only and is sending redirection (HTTP
> messages 302) towards its full URL, as in
> http://172.16.28.43:3080/site/redirect_login.do.
>
> Squid proxy (v3) is configured as reverse proxy to handle only HTTPS
> request from clients (actually any other ports than 443 are blocked
> by in-between firewall).
>
> The proxy is working as expected and is correctly handling clients
> requests and is replacing in server redirects the IP address:port by
> its own address and thus client receives the following:
> 302:http://mydomain.com/site/redirect_login.do.
?? Squid v3 is not yet capable of re-writing server redirect responses
as you have described. The location_rewrite feature is needing a port
from 2.x to 3.x. Do you have a patch to submit to squid-dev mailing list?
>
> The remaining issue for which I am seeking help is protocol, I would
> like that http:// is translated to https:// by squid proxy. Without
> this, the client is then trying to connect to port 80 using http
> which is discarded by the firewall. I have tried redirector programs
> but it is not working (I suppose it translates only requests from
> client).
It sounds like a working redirector for you would be writing https:// in
the URL instead of http://. This is easily fixed by altering whatever
redirector you are using for Location: header re-write.
The best way to do redirects in reverse-proxy is with deny_info before
the request ever gets to the server. Define a deny_info with https://
protocol URL and the client will get that.
What I suggest is this at the top of your squid.conf:
acl HTTP proto HTTP
deny_info https://mydomain.com/site/redirect_login.do HTTP
http_access deny HTTP
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4Received on Fri Jan 07 2011 - 05:36:02 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 07 2011 - 12:00:02 MST