----- "Amos Jeffries" <squid3_at_treenet.co.nz> a écrit :
> On 11/01/11 02:59, r.cazenave_at_free.fr wrote:
> >
> > ----- "Amos Jeffries"<squid3_at_treenet.co.nz> wrote:
> >
> >> On 04/01/11 08:03, r.cazenave_at_free.fr wrote:
> >>> Dear all,
> >>>
> >>> I am facing an issue with Squid configuration for which hopefully
> >> you
> >>> will be able to help.
> >>>
> >>> The web server is using http only and is sending redirection
> (HTTP
> >>> messages 302) towards its full URL, as in
> >>> http://172.16.28.43:3080/site/redirect_login.do.
> >>>
> >>> Squid proxy (v3) is configured as reverse proxy to handle only
> >> HTTPS
> >>> request from clients (actually any other ports than 443 are
> blocked
> >>> by in-between firewall).
> >>>
> >>> The proxy is working as expected and is correctly handling
> clients
> >>> requests and is replacing in server redirects the IP address:port
> >> by
> >>> its own address and thus client receives the following:
> >>> 302:http://mydomain.com/site/redirect_login.do.
> >>
> >> ?? Squid v3 is not yet capable of re-writing server redirect
> responses
> >>
> >> as you have described. The location_rewrite feature is needing a
> port
> >>
> >> from 2.x to 3.x. Do you have a patch to submit to squid-dev
> mailing
> >> list?
> >>
> > My mistake, it is actually done by the Web server directly, not by
> Squid.
> >
> >>>
> >>> The remaining issue for which I am seeking help is protocol, I
> >> would
> >>> like that http:// is translated to https:// by squid proxy.
> Without
> >>> this, the client is then trying to connect to port 80 using http
> >>> which is discarded by the firewall. I have tried redirector
> >> programs
> >>> but it is not working (I suppose it translates only requests from
> >>> client).
> >>
> >> It sounds like a working redirector for you would be writing
> https://
> >> in
> >> the URL instead of http://. This is easily fixed by altering
> whatever
> >>
> >> redirector you are using for Location: header re-write.
> >>
> > Can this be done in squid ? (I cannot modify web server)
> >>
> >> The best way to do redirects in reverse-proxy is with deny_info
> before
> >>
> >> the request ever gets to the server. Define a deny_info with
> https://
> >>
> >> protocol URL and the client will get that.
> >>
> >> What I suggest is this at the top of your squid.conf:
> >>
> >> acl HTTP proto HTTP
> >> deny_info https://mydomain.com/site/redirect_login.do HTTP
> >> http_access deny HTTP
> >>
> >>
> >> Amos
> >
> > Thank you Amos for your proposal. It is not completely solving the
> issue as it
> > means I have to open the http port which was rejected before.
>
> So where is the HTTP inbound requests coming from if not from the HTTP
> port?
>
> NP: "proto" ACL tests the http:// part of URL texts. The request can
> actually arrive in any port.
>
The problem is that when sending a GET on for instance https://mydomain.com/site/redirect_login.do, the server reply a 302:http://mydomain.com/site/redirect_files.do
It is this reply from the server that I would like to modify so that client never tries to connect to http://...
> > The remaining problem is also that I have redirects on all my web
> server pages
> > so my next question: is it possible to redirect to a specific page
> depending on
> > the page requested by client ? Meaning that if client requests
> > http://mydomain.com/site/menu.do, it is redirected to
> > https://mydomain.com/site/menu.do ?
> > I tried deny_info https://mydomain.com/site/%R HTTP but %R is not
> resolved, and
> > client tries to connect to https://mydomain.com/site/%R
>
> Yes ... but. To do the macro-based URLs requires squid-3.2 beta
> software.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.10
> Beta testers wanted for 3.2.0.4
Alright then I will have to wait for 3.2 stable release.
Remi
Received on Tue Jan 11 2011 - 07:03:50 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 11 2011 - 12:00:04 MST