[squid-users] forward proxy to reverse proxy to app

Bernhard Dübi 1linuxengineer at gmail.com
Fri Nov 17 07:33:45 UTC 2017 

Hi,

I try to configure squid for a very special usecase but can't get it
to work. So, if you could give me some hints on how to do it right,
that would be great

Here's what I try to achieve:

the browser has proxy:8080 configured as manual proxy
from the browser I access some websites
when the request is plain http then the reply must be a redirect to https
when the request is https then the ssl connection must be termintaed
on the proxy and the request must be forwarded as http to the
application server

I know, I could just forget about ssl an go directly the app server
with http bt the customer insists on that particular setup

we use several domains like app1.doma.com, app2.domb.biz, app3.domc.org
in order to return the correct certificate for each request, I need a
dedicated ip:port combination for each certificate

I came up with the following setup

browser -> proxy:8080 -> squid    for http://app1.doma.com ->
127.0.0.1:10081 -> haproxy -> redirect
                for https://app1.doma.com -> 127.0.0.1:10401 ->
haproxy -> terminate ssl -> app1.local.net:8123
                for http://app2.doma.com -> 127.0.0.1:10082 -> haproxy
-> redirect
                for https://app2.doma.com -> 127.0.0.1:10402 ->
haproxy -> terminate ssl -> app2.local.net:8765
                for http://app3.doma.com -> 127.0.0.1:10083 -> haproxy
-> redirect
                for https://app3.doma.com -> 127.0.0.1:10403 ->
haproxy -> terminate ssl -> app3.local.net:8888

here's the configuration I created so far

http_port 8080

# User networks
acl Users src 10.11.12.0/22

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow Users
http_access deny all
coredump_dir /var/spool/squid
cache deny all
never_direct allow all

acl to_domA dstdomain .doma.com
acl to_domB dstdomain .domb.biz
acl to_domC dstdomain .domc.org

cache_peer 127.0.0.1 parent 10081 0 name=domA_redirect no-query originserver
cache_peer_access domA_redirect allow !CONNECT to_domA
cache_peer 127.0.0.1 parent 10401 0 name=domA_ssl no-query originserver
cache_peer_access domA_ssl allow CONNECT to_domA

cache_peer 127.0.0.1 parent 10082 0 name=domB_redirect no-query originserver
cache_peer_access domB_redirect allow !CONNECT to_domB
cache_peer 127.0.0.1 parent 10402 0 name=domB_ssl no-query originserver
cache_peer_access domB_ssl allow CONNECT to_domB

cache_peer 127.0.0.1 parent 10083 0 name=domC_redirect no-query originserver
cache_peer_access domC_redirect allow !CONNECT to_domC
cache_peer 127.0.0.1 parent 10403 0 name=domC_ssl no-query originserver
cache_peer_access domC_ssl allow CONNECT to_domC



the plain http part works, squid selects the correct peer and haproxy
reponds with the redirect

ssl respectifely the CONNECT call is the problem

2017/11/17 07:56:21.429 kid1| 28,3| Checklist.cc(63) markFinished:
0x55d69a951b68 answer ALLOWED for match
2017/11/17 07:56:21.429 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0x55d69a951b68 answer=ALLOWED
2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(171)
peerCheckNeverDirectDone: peerCheckNeverDirectDone: ALLOWED
2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(177)
peerCheckNeverDirectDone: direct = DIRECT_NO (never_direct allow)
2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(441) peerSelectFoo:
CONNECT app1.doma.com
2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(685)
peerGetSomeParent: CONNECT app1.doma.com
2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(280)
peerSelectDnsPaths: Failed to select source for 'app1.doma.com:443'
2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(281)
peerSelectDnsPaths:   always_direct = DENIED
2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(282)
peerSelectDnsPaths:    never_direct = ALLOWED
2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(295)
peerSelectDnsPaths:        timedout = 0
2017/11/17 07:56:21.429 kid1| 26,3| tunnel.cc(1156)
tunnelPeerSelectComplete: No paths found. Aborting CONNECT
2017/11/17 07:56:21.429 kid1| 4,3| errorpage.cc(633) errorSend:
local=10.1.2.3:8080 remote=10.11.12.13:61110 FD 12 flags=1,
err=0x55d69a511528
2017/11/17 07:56:21.429 kid1| 4,2| errorpage.cc(1262) BuildContent: No
existing error page language negotiated for ERR_CANNOT_FORWARD. Using
default error file.


if it makes any difference here some details about os and squid:

root at proj-proxy:~# dpkg -l | grep squid
ii  squid                             3.5.12-1ubuntu7.4
          amd64        Full featured Web Proxy cache (HTTP proxy)
ii  squid-common                      3.5.12-1ubuntu7.4
          all          Full featured Web Proxy cache (HTTP proxy) -
common files
ii  squid-langpack                    20150704-1
          all          Localized error pages for Squid

root at proj-proxy:~# uname -a
Linux proj-proxy 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

root at proj-proxy:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial



Many thanks for your help
Bernhard

More information about the squid-users mailing list