RE: [squid-users] Reverse Proxy (Accelerator Mode) and HTTPS RedirectEndless Loop

From: Brad Taylor <[email protected]>
Date: Sun, 6 Feb 2005 01:00:17 -0500

>> "$url" value ends up squid.mysite.net, redirecting the browser right
>> back to squid.mysite.net and causing an endless loop. I tried
putting
>> squid.mysite.net in the /etc/hosts file to point to the backend web
>> server, but it did not seem to matter. Is there anyway this can be
>> done?

>You are using Squid-2.5 I suppose.. it's idea of https reverse proxied
>content is a little wierd (internally looks like http)
>
>Instead of using a redirector plain access controls in squid.conf can
do
>the job much easier
>
>acl port80 port 80
>http_access deny port80
>deny_info https://www.your.site/ port80

In theory this looks like the perfect solution, but it didn't work.
Still put in an endless loop. SSL traffic (443) is allowed in the conf
file but here is the response I get from squid using the program wget:

C:\Program Files\wget>wget http://www.mysite.com
--00:39:22-- http://www.mysite.com/
           => `index.html.5'
Resolving www.mysite.com... x.x.x.x
Connecting to www.mysite.com[x.x.x.x]:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://www.mysite.com/ [following]
--00:39:22-- https://www.mysite.com/
           => `index.html.5'
Connecting to www.mysite.com[x.x.x.x]:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://www.mysite.com/ [following]
--00:39:22-- https://www.mysite.com/
           => `index.html.5'
Connecting to www.mysite.com[x.x.x.x]:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://www.mysite.com/ [following]
--00:39:23-- https://www.mysite.com/
           => `index.html.5'

So squid is redirecting to https and port 443 but still seeing the
traffic as port 80 by still sending it to deny_info.

>you can also use the same in redirector_access to control what is sent
to
>the redirector.
>
>alternatively you can use "httpd_accel_port 0" and have the redirector
>look for the port number to determine if this request was received on
the
>http_port or on the https_port.

I don't see any redirector working unless I was sending the browser to a
different URL other then the site I need the client to go to, which is
Squid, causing an endless loop. For example http://my.site.com/ is sent
to squid. That is send to the redirector outputting
https://my.site.com/. That will be sent back to squid and through the
redirector again and again and again in an endless loop. Even if I try
to use redirector_access based on port it will not work because squid
only sees port 80 for http or https. I tested this by denying port 443
and allowing port 80 and my https requests worked with no problems,
confirming squid did not see the 443 deny request in the conf file.
Maybe I'm missing something but I am thinking this maybe can't be done
with squid 2.5. What else can I try?
Received on Sat Feb 05 2005 - 23:00:19 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST