[squid-users] Squid as Reverse Proxy with Parent Proxy, http inbound and https outbound

Fri Aug 12 04:28:07 UTC 2022

Hey Alex,

Thanks for the quick and detailed response! I inherited this service
recently - would you recommend upgrading to 5? My configs are fairly
simple, so upgrade should be easy.

Here's my desired flow - let "reverse" and "parent" represent the IPs of
those proxies, and "target" represent the target API hostname.

Application sends GET (POST, PUT, etc) http://reverse/some/path
(Note: Application doesn't know target, and couldn't reach it if it did.)

Reverse adds headers to the request
Reverse sends the request to https://target/some/path, using parent as a
forward proxy.

The parent proxy in my test case accepts TCP, although if possible I would
like to support parent TLS proxies as well - this reverse proxy is deployed
in different environments where the parent proxy may differ.

I set this up outside of a docker and without trying to force ssl. The
config below was my first attempt - it works *if* the reverse proxy has
direct internet access, but just hangs otherwise; my understanding is that
requests that use the first cache_peer do not use the second to proxy.

# Reverse proxy to google.com
http_port 80 accel vhost defaultsite=www.google.com
cache_peer google.com parent 80 0 no-query originserver forceddomain=
www.google.com name=target
request_header_add Joel Joel

# Simplified acl
http_access allow all
cache_peer_access target allow all

# Parent proxy
cache_peer 10.60.4.178 parent 3128 0 no-query default
acl all src 0.0.0.0/0.0.0.0
never_direct allow all

This was my second attempt, using forceddomain to replace the host header
but sending the request directly to the parent proxy. This results in the
parent receiving GET /, which it does not understand (it expects GET
target/somepath).

# Reverse proxy directly to forward proxy google.com
http_port 80 accel vhost defaultsite=www.google.com
cache_peer 10.60.4.178 parent 3128 0 no-query originserver forceddomain=
www.google.com name=parent
request_header_add Joel Joel

# Misc
cache deny all
shutdown_lifetime 1 seconds

I suspect this would need a url rewriter to force the url to target - I'm
failing to get any of the example rewriters working (maybe due to the old
squid version?) so I haven't been able to test that yet. But I suspect it
will fail for HTTPS, because the rewritten URL will be sent as GET
target/something to the parent proxy, instead of CONNECT target/something -
I still think I'm missing something to get my squid to use the forward *as
a proxy* while itself functioning in reverse.

I'll rewrite these for squid 5 and try to get URL rewriting working. In the
meantime, could you let me know if either of these two general approaches
is remotely correct and if so, what I can do to get further with them?

Thanks so much! If you happen to be on StackOverflow, I've asked the
question with a bounty there
<https://stackoverflow.com/questions/73286678/reverse-proxy-with-http-inbound-https-outbound-and-parent-proxy/73293978?noredirect=1#comment129465312_73293978>
as well (although less squid-specific).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220812/b1fcdb09/attachment.htm>