[squid-users] Squid as Reverse Proxy with Parent Proxy, http inbound and https outbound
Alex Rousskov
rousskov at measurement-factory.com
Thu Aug 11 20:28:12 UTC 2022
On 8/11/22 16:00, Joel Howard wrote:
> I'm trying to use Squid (3.5.27, in a docker container)
My response below should cover Squid v3 in principle, but there may be
important caveats that I am forgetting about that apply to that
unsupported and ancient version. You should not use that version.
> as a non-caching
> reverse proxy with http inbound and https outbound, to support an
> application that requires a proxy for internet access but does not allow
> proxy configuration (and I do not have access to the application's host
> machine). Ideally the squid proxy itself would not have a tls cert,
> since inbound traffic would be http, and I would like to add headers.
Are you trying to configure Squid to convert a received "GET
http://example.com/" request into a "GET https://example.com" request
sent from Squid (to the parent proxy)?
> What keeps stopping me is that I also need to support a parent forward
> proxy, which itself may support http or https inbound.
Does the parent forward proxy accept plain text TCP connections or TLS
connections? What port does the parent proxy listens on? Can you telnet
or otherwise probe it to figure out whether it expects TLS? Most proxies
expect plain text TCP connections, but there are HTTPS proxies that
expect TLS.
> I've tried the various examples here
> <https://wiki.squid-cache.org/SquidFaq/ReverseProxy>, but I'm struggling
> to "flip" the proxy direction - receive the request as a reverse proxy,
> configure the outbound request appropriately, and then send it on *via*
> the parent proxy. I'm not sure if cache_peers can be "chained" like
> this, or if they can't, how I can configure the single cache_peer so
> that proxied https works correctly.
I have not tested this, but I would expect the reverse/forward "flip"
itself to work more-or-less automatically -- Squid should do what is
necessary on its own IIRC. I suspect your problem is elsewhere.
Perhaps you should try to make everything work for plain text HTTP
traffic first? Outside of a docker?
Please share your http_port and cache_peer configuration and the
errors/problems they currently cause.
Cheers,
Alex.
More information about the squid-users
mailing list