[squid-users] Squid Reverse Proxy issue

Hello,

I've setup successfully a Squid Reverse Proxy using the [B]How To Set
Up A Caching Reverse Proxy With Squid 2.6[/B] although with some
differences. I installed Squid 3 stable 16 on a Debian 5.0 Lenny
server. I also installed it with SSL support, created my own
self-signed wildcard certificate, LDAP authentication against our
domain and everything.

Everything is working fine, http, https, the certificate, ... but...

I have like 6 http intranet sites and 1 https intranet site. I can
successfully connect to the http sites using http://site1.domain.com
but it also accepts https://site1.domain.com. The same, reverse, is
true for the https site. I connect to https://sslsite.domain.com
accept the exception for the certificate and get connected. But also
using http://sslsite.domain.com I get connected to that site.

1. How do I have to change my configuration so that the https site is
only accessible using https connection, dropping all that try to
connect to that site using http?
2. When I use https://site1.domain.com to connect to a http site,
after authentication it changes the url to http://site1.domain.com.
Does this mean that Squid detects that the destination site is a http
site and changes the URL accordingly? If this is true would my problem
be solved by only accepting https connections?

Here's my squid config. I really hope someone can help me out.
[CODE]
cache_mgr root
# Basic parameters
visible_hostname www.domain.com
auth_param basic realm Domain Security Portal

# This line indicates the server we will be proxying for
http_port 80 defaultsite=www.domain.com vhost

# And the IP Address for it - adjust the IP and port if necessary
cache_peer XXX.XXX.XXX.73 parent 80 0 no-query originserver name=site1
acl site_site1 dstdomain site1.domain.com
cache_peer_access site1 allow site_site1

cache_peer XXX.XXX.XXX.27 parent 80 0 no-query originserver name=site2
acl site_site2 dstdomain site2.domain.com
cache_peer_access site allow site_site2

cache_peer XXX.XXX.XXX.21 parent 80 0 no-query originserver name=site3
acl site_site3 dstdomain site3.domain.com
cache_peer_access site3 allow site_site3

cache_peer localhost parent 8080 0 no-query originserver name=acidbase
acl site_acidbase dstdomain acidbase.domain.com
cache_peer_access acidbase allow site_acidbase

https_port XXX.XXX.XXX.78:443 accel cert=/etc/ssl/domaincert.pem
key=/etc/ssl/domainkey.pem cafile=/etc/ssl/CA/cacert.pem
defaultsite=sslsite.domain.com vhost protocol=https
forwarded_for on

cache_peer XXX.XXX.XXX.84 parent 19080 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER front-end-https=on name=sslsite
acl site_sslsite dstdomain sslsite.domain.com
cache_peer_access sslsite allow site_sslsite
acl https proto https

acl apache rep_header Server ^Apache

# Where the cache files will be, memory and such
cache_dir ufs /var/spool/squid3 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 128 KB

# Log locations and format
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

access_log /var/log/squid3/access.log combined

cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
logfile_rotate 10

hosts_file /etc/hosts

# Basic ACLs
# acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT

auth_param basic program /lib/squid3/squid_ldap_auth -R -b
"dc=domain,dc=com" -D "cn=ldapuser,cn=Users,dc=domain,dc=com" -w
"password" -f sAMAccountName=%s -h ldapserver
auth_param basic children 5
acl ldap_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ldap_users
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow localhost
http_access allow all
http_access allow all
http_reply_access allow all

icp_access allow all

cache_effective_group proxy

coredump_dir /var/spool/squid3

emulate_httpd_log on

redirect_rewrites_host_header off

buffered_logs on

# Do not cache cgi-bin, ? urls, posts, etc.
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl POST method POST
no_cache deny QUERY
no_cache deny POST
[/CODE]

Kind regards,

Eric
Received on Tue Jul 28 2009 - 06:27:55 MDT