Re: [squid-users] Dealing with HTTP redirects from server on HTTPs proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 07 Jan 2011 18:35:55 +1300

On 04/01/11 08:03, r.cazenave_at_free.fr wrote:
> Dear all,
>
> I am facing an issue with Squid configuration for which hopefully you
> will be able to help.
>
> The web server is using http only and is sending redirection (HTTP
> messages 302) towards its full URL, as in
> http://172.16.28.43:3080/site/redirect_login.do.
>
> Squid proxy (v3) is configured as reverse proxy to handle only HTTPS
> request from clients (actually any other ports than 443 are blocked
> by in-between firewall).
>
> The proxy is working as expected and is correctly handling clients
> requests and is replacing in server redirects the IP address:port by
> its own address and thus client receives the following:
> 302:http://mydomain.com/site/redirect_login.do.

?? Squid v3 is not yet capable of re-writing server redirect responses
as you have described. The location_rewrite feature is needing a port
from 2.x to 3.x. Do you have a patch to submit to squid-dev mailing list?

>
> The remaining issue for which I am seeking help is protocol, I would
> like that http:// is translated to https:// by squid proxy. Without
> this, the client is then trying to connect to port 80 using http
> which is discarded by the firewall. I have tried redirector programs
> but it is not working (I suppose it translates only requests from
> client).

It sounds like a working redirector for you would be writing https:// in
the URL instead of http://. This is easily fixed by altering whatever
redirector you are using for Location: header re-write.

The best way to do redirects in reverse-proxy is with deny_info before
the request ever gets to the server. Define a deny_info with https://
protocol URL and the client will get that.

What I suggest is this at the top of your squid.conf:

   acl HTTP proto HTTP
   deny_info https://mydomain.com/site/redirect_login.do HTTP
   http_access deny HTTP

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Fri Jan 07 2011 - 05:36:02 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 07 2011 - 12:00:02 MST