Hello everyone,
I'm new to squid and I've been pulling out hairs on this problem all
morning. Perhaps someone on the list has some advice.
Here's the situation:
I need to setup an SSL reverse proxy that will handle https traffic on port
443 from client (IE6) to proxy, and http traffic on port 8015 from the
proxy to the backend server.
I installed squid-2.5.STABLE4-20040121 on fedora as an http accelerator
only, created my ssl keys and certs, and started everything up. Here is my
testing config:
http_access allow all
http_reply_access allow all
httpd_accel_host backend.foo.com
httpd_accel_port 8015
httpd_accel_single_host on
httpd_accel_uses_host_header off
httpd_accel_with_proxy off
https_port 443 cert=/tmp/cert.pem key=/tmp/key.pem
ssl_unclean_shutdown on
cache_store_log none
redirect_program /usr/local/squirm/bin/myRedirect
redirect_children 10
redirect_rewrites_host_header off
The login page to the backend server got proxyed correctly, but after logon
the return traffic to the client contained frames with links to
'http://backend.foo.com:8015'. I used split DNS to make the client resolve
'backend.foo.com' to the squid reverse proxy, but since squid is not (and I
do not want it to) listen on http port 8015, squid sends RSTs back to the
client.
Since I can't tell the app to change it's links, I tried implementing a
redirector per the squid FAQ section 15.5. Here's my shamelessly ripped
code:
#!/usr/bin/perl
$|=1;
while (<>) {
@x = split;
$url = $x[0];
if ($url =~ /^http:\/\/backend\.foo\.com:8015/) {
$url =~ s/^http/https/;
$url =~ s/\.com:8015/\.com/;
print "301:$url\n";
} else {
print "$url\n";
}
}
This works as I would think it should from the command line, only
redirecting requests starting with 'http:backend.foo.com:8015', but
according to my tcpdump traces squid is responding to *any* http or https
request with a 301 redirect. Thus the loop.
I then tried SQUIRM as my redirector with the following pattern:
regexi ^http://backend\.foo\.com:8015/(.*$) 301:https://backend.fod.com/\1
This also works as expected via the command line, but again, according to
tcpdump I have the exact same looping 301 problem. Anyone have any ideas as
to what's wrong?
Here is what shows up (repeated many times) in my squid access.log during
the looping:
1 10.0.2.50 TCP_MISS/301 171 GET http://backend.foo.com:8015/ - NONE/- -
Thank you for your time,
Mike
Received on Fri Jan 23 2004 - 11:52:52 MST
This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:08 MST