Re: [squid-users] Dealing with HTTP redirects from server on HTTPs proxy

From: <r.cazenave_at_free.fr>
Date: Mon, 10 Jan 2011 14:59:18 +0100

----- "Amos Jeffries" <squid3_at_treenet.co.nz> wrote:

> On 04/01/11 08:03, r.cazenave_at_free.fr wrote:
> > Dear all,
> >
> > I am facing an issue with Squid configuration for which hopefully
> you
> > will be able to help.
> >
> > The web server is using http only and is sending redirection (HTTP
> > messages 302) towards its full URL, as in
> > http://172.16.28.43:3080/site/redirect_login.do.
> >
> > Squid proxy (v3) is configured as reverse proxy to handle only
> HTTPS
> > request from clients (actually any other ports than 443 are blocked
> > by in-between firewall).
> >
> > The proxy is working as expected and is correctly handling clients
> > requests and is replacing in server redirects the IP address:port
> by
> > its own address and thus client receives the following:
> > 302:http://mydomain.com/site/redirect_login.do.
>
> ?? Squid v3 is not yet capable of re-writing server redirect responses
>
> as you have described. The location_rewrite feature is needing a port
>
> from 2.x to 3.x. Do you have a patch to submit to squid-dev mailing
> list?
>
My mistake, it is actually done by the Web server directly, not by Squid.

> >
> > The remaining issue for which I am seeking help is protocol, I
> would
> > like that http:// is translated to https:// by squid proxy. Without
> > this, the client is then trying to connect to port 80 using http
> > which is discarded by the firewall. I have tried redirector
> programs
> > but it is not working (I suppose it translates only requests from
> > client).
>
> It sounds like a working redirector for you would be writing https://
> in
> the URL instead of http://. This is easily fixed by altering whatever
>
> redirector you are using for Location: header re-write.
>
Can this be done in squid ? (I cannot modify web server)
>
> The best way to do redirects in reverse-proxy is with deny_info before
>
> the request ever gets to the server. Define a deny_info with https://
>
> protocol URL and the client will get that.
>
> What I suggest is this at the top of your squid.conf:
>
> acl HTTP proto HTTP
> deny_info https://mydomain.com/site/redirect_login.do HTTP
> http_access deny HTTP
>
>
> Amos

Thank you Amos for your proposal. It is not completely solving the issue as it
means I have to open the http port which was rejected before.
The remaining problem is also that I have redirects on all my web server pages
so my next question: is it possible to redirect to a specific page depending on
the page requested by client ? Meaning that if client requests
http://mydomain.com/site/menu.do, it is redirected to
https://mydomain.com/site/menu.do ?
I tried deny_info https://mydomain.com/site/%R HTTP but %R is not resolved, and
client tries to connect to https://mydomain.com/site/%R
Received on Mon Jan 10 2011 - 13:59:33 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 11 2011 - 12:00:04 MST