are you sure, that the server doesn't change the ip/domain while
doing some kind of redirect?`what does the access.log of squid (and
the server's one) tell you?
normally squid doesn't switch back to ip-adresses while retrieving
a website. it could be a redirect that the web-server performs, such like
http://domain/foo -> http://123.45.67.89/foo/
(watch the trailing slash)...
Markus Rietzler
* <rietzler_software/>
* RZF NRW
* Tel: 0211.4572-130
-----Urspr�ngliche Nachricht-----
Von: Francois.J.Perreault@vmd.desjardins.com
[mailto:Francois.J.Perreault@vmd.desjardins.com]
Gesendet am: Samstag, 10. August 2002 00:15
An: squid-users@squid-cache.org
Betreff: [squid-users] Cookies and/or URLs becoming IP addresses when
using proxy with SSL
IE Browser (5 and 6) is set to use a proxy (Squid and Apache)
and accesses an SSL site in development. Eventually (about
4 or 5 clicks), the site's main cookie which came from the site's
domain name, will now appear to come from an IP address, thus
not being the same cookie to the browser. This brakes the SSL
session and everything is then requested using http (not https)
and most often by refering to the IP address and not the proper
domain name URL. Needless to say the site stops working.
Removal of the proxy settings in the browser (assuming the
station is permitted through by the firewall) and the bug goes
away. Considering how the proxy is merely tunneling the SSL
session, how can the cookie (or URL) get poisonned like that?
-- Squid Config: #acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 8080 8000 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl badlangblock url_regex -i "/etc/squid/badlang.block.txt" acl badlangunblock url_regex -i "/etc/squid/badlang.unblock.txt" acl entertainblock url_regex -i "/etc/squid/entertain.block.txt" acl entertainunblock url_regex -i "/etc/squid/entertain.unblock.txt" acl gamesblock url_regex -i "/etc/squid/games.block.txt" acl gamesunblock url_regex -i "/etc/squid/games.unblock.txt" acl pirateblock url_regex -i "/etc/squid/pirate.block.txt" acl pornblock url_regex -i "/etc/squid/porn.block.txt" acl pornunblock url_regex -i "/etc/squid/porn.unblock.txt" acl limiteddeny url_regex -i "/etc/squid/limited.deny.txt" acl limitedallow url_regex -i "/etc/squid/limited.allow.txt" acl allowsimpleurl urlpath_regex -i "/etc/squid/allow_simpleurl.txt" http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny badlangblock !badlangunblock http_access deny entertainblock !entertainunblock http_access deny gamesblock !gamesunblock http_access deny pirateblock http_access deny pornblock !pornunblock http_access deny limiteddeny #http_access allow limitedallow #http_access allow allowsimpleurl #http_access allow CONNECT SSL_ports #http_access deny all http_access allow allReceived on Mon Aug 12 2002 - 04:30:58 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:35 MST