Thank your very much for this answer, Amos.
I've tried the suggested settings but it did not solve my problem.
The purpose of the config I'm looking for is not to have a reverse proxy allow
CONNECT. It is rather to have the proxy server behave like a reverse proxy on
GET and POST requests and as a forward proxy, forwarding to localhost or to
localnet on CONNECT requests, while receiving these various requests on the same
port.
This works with Apache. Hence I thought I could find a way to have it work with
Squid. Here is the simplified code I use in Apache:
<VirtualHost ip-my-virtual-host:port-my-virtual-host>
BLABLABLA
<IfModule mod_proxy.c>
ProxyRequests On
<IfModule mod_proxy_connect.c>
AllowConnect 22
</IfModule>
<ProxyMatch mysshserver.domain.name:22>
Allow from authorized-ips
Deny from all
Order Deny,Allow
<ProxyMatch>
</IfModule>
ProxyPass / http://www.mysite.com
</VirtualHost>
I thought it might work with Squid if, instead of following the highlighted
comment #1 in the example reverse config and placing my reverse proxy
http_access directives, I placed the following block lower in the http_access
block, hoping that my forward requests would hit a http_access rule before being
accelerated.
> ################################
> acl our_sites dstdomain www.mysite.com
> http_access allow our_sites
> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
> cache_peer_access myAccel allow our_sites
> ################################
This did not work either.
I guess I will not able to obtain the config I'm looking for without:
(i) amending this line:
http_port X.X.X.X:80 accel defaultsite=www.mysite.com
with an allow-direct option; and
(ii) using:
(a) allow_direct rule; and
(b) a cache directive to avoid replies to be cached (which should address some
of your concerns).
Thanks.
C
----- Message d'origine ----
De : Amos Jeffries <squid3@treenet.co.nz>
À : squid-users@squid-cache.org
Envoyé le : Mer 18 mai 2011, 4h 25min 26s
Objet : Re: [squid-users] Running squid in both accel and forward mode on the
same port
On Wed, 18 May 2011 01:24:39 +0200, Cedric Lor wrote:
> Hi
>
> I'm running squid Version 2.7.STABLE9 on a FreeBSD.
>
> I have only one external IP. I'm trying to set up squid so that it
> would be running on a single port in accel mode and in foward proxy
> mode.
This is *highly* unsafe. It opens your network to poisoning attacks as outlined
in CVE-2009-0801
Use two http_port's. One for forward and one for reverse traffic.
>
> The idea is to be able to access other services via the Connect
> method on the server, for instances ssh, in order to carry out
> maintenance work on the server as necessary while serving, on a
> backend server on the loopback. I use proxytunnel on a client machine
> to send Connect method and establish a tunnel through Squid to the
> local interface.
>
> When I configure Squid in pure forward proxy, Squid connects to port
> 22 works seemlessly.
>
> However, when I configure Squid to combine reverse and forward, my
> client gets the following answer upon connection with Squid: HTTP
> return code: 400 Bad Request
CONNECT is illegal method in reverse-proxy traffic. The URL provided is
incomplete and cannot be used by a reverse-proxy to reconstruct an HTTP request.
This is particularly bad when the protocol inside CONNECT is not HTTP anyway.
>
> I've done this in the past with an Apache server (ProxyRequest On
> together with a ProxyPass command) so I'm pretty sure Squid should let
> me do it. But I could not find any configuration exemple, whether on
> Squid's site or on the internet.
mod_proxy operates like a Squid URL re-writer. All the same behaviour and
problems.
<snip>
> - Squid:
> ---------------------------------------------------------
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.1/32
Change:
acl to_localhost dst 127.0.0.1/32 0.0.0.0/0
> acl to_all dst all
>
> acl SSL_ports port 80 22
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 22 # ssh
>
> acl CONNECT method CONNECT
> ---------------------------------------------------------
> http_access allow manager localhost
> http_access deny manager
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow to_localhost Safe_ports
to_localhost is customized to prevent malicious DNS entries allowing attacks to
bypass security.
The intended use is:
http_access deny to_localhost
Since you seem not to want that. Remove it completely.
>
> http_access allow localhost
Change that:
http-access allow localhost CONNECT
>
> ################################
NOTE: highlighted comment #1 in the documentation is...
* This configuration MUST appear at the top of squid.conf above any other
forward-proxy configuration ...
Do that.
> acl our_sites dstdomain www.mysite.com
> http_access allow our_sites
> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
> cache_peer_access myAccel allow our_sites
> ################################
>
> http_access deny all !to_localhost
Change:
http_access deny all
> ---------------------------------------------------------
> icp_access allow localnet
> icp_access deny all
>
> ---------------------------------------------------------
> http_port X.X.X.X:80 accel defaultsite=www.mysite.com
Amos
Received on Wed May 18 2011 - 11:57:56 MDT
This archive was generated by hypermail 2.2.0 : Wed May 18 2011 - 12:00:19 MDT