[squid-users] FW: Trying to setup Squid as a reverse proxy. Works fine, but when a client does an HTTP POST, Squid claims there's a forwarding error.

[Amos Jeffries]

On 28/04/2015 4:10 a.m., Brent Newland wrote:
> x-post
> http://www.reddit.com/r/sysadmin/comments/340f36/trying_to_setup_squid_as_a_
> reverse_proxy_works/
> 
> At this point, I've trimmed my Squid config down to:
> 
> http_access allow all
> cache_peer 127.0.0.1 parent 8084 0 no-digest no-query originserver
> name=mywebsite
> cache_peer_domain mywebsite beta.mywebsite.com
> coredump_dir /var/cache/squid
> dns_nameservers 8.8.8.8 208.67.222.222

Well I guarantee thats not all, because there is at least a http_port
line to receive traffic.


> 
> As for my server configuration, I'm on Windows Server 2008 R2 running Squid
> 3.5 from http://squid.diladele.com/ Squid is a reverse proxy for a PHP
> process running the PHP built-in webserver on port 8084. The issue does not
> happen when the PHP webserver is on port 80, so I'm 99% sure the problem
> isn't coming from there.
> 

...
> 
> In the access log I get:
> 

This is the loop being rejected.
> 1430122290.530 1 192.168.10.1 TCP_MISS/403 5050
> POST http://beta.mywebsite.com/wp-login.php[3] - HIER_NONE/- text/html

This is the first request.
> 1430122290.532 17 69.146.194.21 TCP_MISS/403 5119
> POST http://beta.mywebsite.com/wp-login.php[4] - HIER_DIRECT/12.34.56.78
> text/html

Notice how its going DIRECT. Reverse-proxy traffic has an automatic
block on going direct as an option because the DNS entries are pointing
at the proxy that is currently serving the request - guaranteeing that
this loop will occur if DIRECT / DNS is used.

That POST request entered your proxy without going through the
reverse-proxy "accel" mode port, OR you have an always_direct line
forcing this traffic to go direct when it must not.


Instead of using the deprecated cache_peer_domain. Try this instead:

 acl mywebsite dstdomain beta.mywebsite.com
 cache_peer_access mywebsite allow mywebsite


Amos