Re: [squid-users] Dealing with HTTP redirects from server on HTTPs proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 11 Jan 2011 20:23:48 +1300

On 11/01/11 20:03, r.cazenave_at_free.fr wrote:
>
> ----- "Amos Jeffries"<squid3_at_treenet.co.nz> a écrit :
>
>> On 11/01/11 02:59, r.cazenave_at_free.fr wrote:
>>>
>>> ----- "Amos Jeffries"<squid3_at_treenet.co.nz> wrote:
>>>
>>>> On 04/01/11 08:03, r.cazenave_at_free.fr wrote:
>>>>> Dear all,
>>>>>
>>>>> I am facing an issue with Squid configuration for which hopefully
>>>> you
>>>>> will be able to help.
>>>>>
>>>>> The web server is using http only and is sending redirection
>> (HTTP
>>>>> messages 302) towards its full URL, as in
>>>>> http://172.16.28.43:3080/site/redirect_login.do.
>>>>>
>>>>> Squid proxy (v3) is configured as reverse proxy to handle only
>>>> HTTPS
>>>>> request from clients (actually any other ports than 443 are
>> blocked
>>>>> by in-between firewall).
>>>>>
>>>>> The proxy is working as expected and is correctly handling
>> clients
>>>>> requests and is replacing in server redirects the IP address:port
>>>> by
>>>>> its own address and thus client receives the following:
>>>>> 302:http://mydomain.com/site/redirect_login.do.
>>>>
>>>> ?? Squid v3 is not yet capable of re-writing server redirect
>> responses
>>>>
>>>> as you have described. The location_rewrite feature is needing a
>> port
>>>>
>>>> from 2.x to 3.x. Do you have a patch to submit to squid-dev
>> mailing
>>>> list?
>>>>
>>> My mistake, it is actually done by the Web server directly, not by
>> Squid.
>>>
>>>>>
>>>>> The remaining issue for which I am seeking help is protocol, I
>>>> would
>>>>> like that http:// is translated to https:// by squid proxy.
>> Without
>>>>> this, the client is then trying to connect to port 80 using http
>>>>> which is discarded by the firewall. I have tried redirector
>>>> programs
>>>>> but it is not working (I suppose it translates only requests from
>>>>> client).
>>>>
>>>> It sounds like a working redirector for you would be writing
>> https://
>>>> in
>>>> the URL instead of http://. This is easily fixed by altering
>> whatever
>>>>
>>>> redirector you are using for Location: header re-write.
>>>>
>>> Can this be done in squid ? (I cannot modify web server)
>>>>
>>>> The best way to do redirects in reverse-proxy is with deny_info
>> before
>>>>
>>>> the request ever gets to the server. Define a deny_info with
>> https://
>>>>
>>>> protocol URL and the client will get that.
>>>>
>>>> What I suggest is this at the top of your squid.conf:
>>>>
>>>> acl HTTP proto HTTP
>>>> deny_info https://mydomain.com/site/redirect_login.do HTTP
>>>> http_access deny HTTP
>>>>
>>>>
>>>> Amos
>>>
>>> Thank you Amos for your proposal. It is not completely solving the
>> issue as it
>>> means I have to open the http port which was rejected before.
>>
>> So where is the HTTP inbound requests coming from if not from the HTTP
>> port?
>>
>> NP: "proto" ACL tests the http:// part of URL texts. The request can
>> actually arrive in any port.
>>
> The problem is that when sending a GET on for instance https://mydomain.com/site/redirect_login.do, the server reply a 302:http://mydomain.com/site/redirect_files.do
>
> It is this reply from the server that I would like to modify so that client never tries to connect to http://...
>

Ah, I got you all backwards.

What you need is the location_rewrite feature. Which is only in 2.7 so far.

The deny_info way might work when applied to http_reply_access. I've not
tried it though to see.

In Squid-3 this would be done with an ICAP service or eCAP plugin which
alters the Location: header as it passes through.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Tue Jan 11 2011 - 07:23:59 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 11 2011 - 12:00:04 MST