[squid-users] Squid going through another forward proxy

Hector Chan hectorchan at gmail.com
Sat Nov 22 00:49:38 UTC 2014 

And if doesn't do the proper HTTP CONNECT, is there any way I can make
squid to use HTTP CONNECT and establish a proxy channel?  The reason I ask
is because we use HTTP BasicAuth with the origin server and it needs to be
encrypted end-to-end.

Thanks again,
Hector


On Fri, Nov 21, 2014 at 4:15 PM, Hector Chan <hectorchan at gmail.com> wrote:

> Hi Amos,
>
> For the following cache_peer:
>
> > cache_peer forward-proxy.example.com parent 3128 0 name=C
>
> Would squid do the proper HTTP CONNECT before forwarding the request there
> ?
>
> Thanks,
> Hector
>
> On Thu, Nov 13, 2014 at 10:35 PM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 14/11/2014 6:22 p.m., Hector Chan wrote:
>> > Hi Amos,
>> >
>> >> those lines you specify above go in (C). *if* they are needed at
>> >> all.
>> >
>> > But I don't have control over (C).  It's off limits.
>>
>> Then you have to trust that the admin in charge of it set it up right.
>>
>> >
>> >> In (B) goes:
>> >>
>> >> cache_peer forward-proxy.example.com parent 3128 0 name=C
>> >>
>> >> acl sendToC dstdomain origin-x.example.com origin-y.example.com
>> > origin-z.example.com
>> >> cache_peer_access C sendToC
>> >
>> > The requests reaching (B) (reverse-proxy.example.com) are in the
>> > form: http://reverse-proxy.example.com/goto-origin-x
>> > http://reverse-proxy.example.com/goto-origin-y
>> > http://reverse-proxy.example.com/goto-origin-z
>> >
>> > and I have a couple of cache_peer_access acls (urlpath regex) to
>> > send them to origin-x, origin-y, and origin-z.  How would the above
>> > dstdomain acl work with these rules?
>>
>> You have now stopped using HTTP and started using some strange
>> URL-embeded protocol.
>>
>> An HTTP proxy cannot help you there. You require a proxy that
>> understands and acts on the URL-embeded protocol messages.
>>
>> It is possible to extend Squid with URL-rewrite helpers that can
>> translate it into different HTTP URL for passing to (C). BUT, there is
>> no guarantee of what origin (C) will use to fetch that resource. You
>> have to *trust* that (C) uses the origin best suited to any request
>> that it is given, according to the criteria its own admin has set for
>> "best".
>>
>> Amos
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (MingW32)
>>
>> iQEcBAEBAgAGBQJUZaKVAAoJELJo5wb/XPRjdpQH/iBh1HQcAZQr0gqK7FS8nZ9x
>> v0fzAOx/L0HCG5MTT7drwvvEVltxMRYoVniM8VJSqUw3cFAlI+2VEScIr3oOFjcr
>> qAdjxyjer7sxVgmQM80Oa+n40RK7mvZejvhEV9/0Gc0XTmAjL3PrBptKpumslhVh
>> rq40LUX50rg5xaAfA02WCy4mYS99uH7qBABWIXeeESVdvGLVRTaTlthqaKW8JTFh
>> pjmS9OKVnk5CeEi6cyJ8VV7edBOgv2rpgUH8Wjap66mmIjVHq8alNU53obRAMk7p
>> Pd/bPfPFERnoBymbYmYfFBd3Mfddgc49Wpz9gggAWgXE8bq6CbXQHpj5GvUayaE=
>> =mS+q
>> -----END PGP SIGNATURE-----
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141121/287687fb/attachment-0001.html>

More information about the squid-users mailing list