[squid-users] reverse proxy and HTTP redirects

Amos Jeffries squid3 at treenet.co.nz
Tue Dec 3 05:32:57 UTC 2019 

On 3/12/19 3:46 am, Vieri Di Paola wrote:
> Hi,
> 
> I configured a reverse proxy with something like this:
> 
> https_port 10.215.145.81:50443 accel cert=/etc/ssl/whatever.cer
> key=/etc/ssl/whatever_key_nopassphrase.pem
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE,No_Compression
> cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA25
> 6:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
> tls-dh=/etc/ssl/whatever/dh2048.pem defaultsite=whatever.org


NP: you have not configured any Elliptic Curve to be used, so all those
EC ciphers will not be usable. Also you configured some DES based
ciphers and then disable DES.


> 
> cache_peer 10.215.248.40 parent 8080 0 no-query originserver
> login=PASS front-end-https=on name=httpsServer
> 
> [etc]
> 
> I can load the web portal just fine from a web client connecting to
> 10.215.145.81:50443. However, the web server then sends an HTTP
> redirection to an HTTP URL which is something like
> http://10.215.248.40:8080/whatever (in other words, the page is hosted
> on the same server). That breaks the browsing experience (connection
> reset).
> 
> If I can't modify the server code at 10.215.248.40, is there a
> workaround for this?

You do not need to modify code anywhere.

The problem is that the client is talking to port 50443 and the service
is expecting port 8080 in URLs.

The best solution is to have the server and Squid using the same port
number. Preferably 443 for HTTPS services.

Alternatively you might be able to use the vport= option on https_port
to set the URL port to 8080. However, this affects *all* inbound traffic
at that port and any embedded URLs the service sends the client will
remain broken (contain port 8080).


Amos

More information about the squid-users mailing list