[squid-users] Parent proxy chaining
Matus UHLAR - fantomas
uhlar at fantomas.sk
Tue Nov 27 16:44:54 UTC 2018
On 27.11.18 08:33, Phillip McCollum wrote:
>I have a deployment in AWS in where a VPC has a transparent proxy deployed,
>which forwards 80/443 requests to a parent proxy in another VPC, which I
>then need to forward to another parent proxy (SaaS provider).
>
>Essentially:
>[[Client PC]] --> [[Squid Proxy (10.52.0.20)]] --> [[Parent Squid Proxy
>(10.52.0.168)]] --> [[Parent SaaS Proxy]]
>
>This is being done to centralize proxy functions and limit the number of
>public IPs that the parent SaaS needs to whitelist.
>
>I'm getting "Access Denied" messages and a review of Squid Parent proxy
>access.log shows the following common errors:
>
>HTTP:
>2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for:
>GET / HTTP/1.1
>Accept: text/html, application/xhtml+xml, image/jxr, */*
>Accept-Language: en-US
>User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
>Gecko
>Accept-Encoding: gzip, deflate
>Cookie: B=8nra62ldvb83a&b=3&s=ik
>Via: 1.1 squid (squid/3.5.27)
what are names of your proxies?
you must set different visible_name or at least unique_name so proxy knows
it's not contacting itself.
>Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 REDIRECT tcp -- * * 0.0.0.0/0
>0.0.0.0/0 tcp dpt:80 redir ports 3129
> 0 0 REDIRECT tcp -- * * 0.0.0.0/0
>0.0.0.0/0 tcp dpt:443 redir ports 3130
> 35 2100 REDIRECT tcp -- * * 0.0.0.0/0
>0.0.0.0/0 tcp dpt:8443 redir ports 3031
the intercepting (often called transparent) proxy must have direct access to
world or parent proxy. Redirecting it back will create a loop.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
More information about the squid-users
mailing list