[squid-users] Squid as Reverse Proxy with Parent Proxy, http inbound and https outbound

Alex Rousskov rousskov at measurement-factory.com
Fri Aug 12 15:18:32 UTC 2022 

On 8/12/22 00:28, Joel Howard wrote:

> Thanks for the quick and detailed response! I inherited this service 
> recently - would you recommend upgrading to 5? My configs are fairly 
> simple, so upgrade should be easy.

I recommend not using v3. I do not have enough information about your 
environment to _recommend_ a specific version to upgrade to. By default, 
you should be upgrading to v5.


> Here's my desired flow - let "reverse" and "parent" represent the IPs of 
> those proxies, and "target" represent the target API hostname.
> 
> Application sends GET (POST, PUT, etc) http://reverse/some/path 

Nitpick: That is not exactly what the application sends if reverse is a 
reverse proxy. The application will send "GET /some/path" (with 
"reverse" in the Host header).


> Reverse adds headers to the request
> Reverse sends the request to https://target/some/path 
> using parent as a forward proxy.

I am not sure, but I suspect you will need a URL rewriter to change the 
URL scheme from "http" to "https".

> I set this up outside of a docker and without trying to force ssl. The 
> config below was my first attempt

Why are there suddenly two cache_peers in your configuration? Can you 
simplify, at least for now, and have just one?

And why are there no [parent] proxies in your configuration? If you want 
Squid to use a parent proxy, then you need a cache_peer option _without_ 
the originserver flag. That flag coverts Squid treatment of an HTTP 
agent at the specified cache_peer address from a [forward] proxy [that 
you want] to an origin server.

I would start with the following sketch:

     http_port 80 accel
     cache_peer 10.60.4.178 parent 3128 0 no-query no-digest
     http_access ...

And then, after the above is adjusted and working as expected, add 
request URL rewriting to try to change the URL scheme to https.

HTH,

Alex.


> # Reverse proxy to google.com <http://google.com>
> http_port 80 accel vhost defaultsite=www.google.com <http://www.google.com>
> cache_peer google.com <http://google.com> parent 80 0 no-query 
> originserver forceddomain=www.google.com <http://www.google.com> name=target
> request_header_add Joel Joel
> 
> # Simplified acl
> http_access allow all
> cache_peer_access target allow all
> 
> # Parent proxy
> cache_peer 10.60.4.178 parent 3128 0 no-query default
> acl all src 0.0.0.0/0.0.0.0 <http://0.0.0.0/0.0.0.0>
> never_direct allow all
> 
> This was my second attempt, using forceddomain to replace the host 
> header but sending the request directly to the parent proxy. This 
> results in the parent receiving GET /, which it does not understand (it 
> expects GET target/somepath).
> 
> # Reverse proxy directly to forward proxy google.com <http://google.com>
> http_port 80 accel vhost defaultsite=www.google.com <http://www.google.com>
> cache_peer 10.60.4.178 parent 3128 0 no-query originserver 
> forceddomain=www.google.com <http://www.google.com> name=parent
> request_header_add Joel Joel
> 
> # Misc
> cache deny all
> shutdown_lifetime 1 seconds
> 
> I suspect this would need a url rewriter to force the url to target - 
> I'm failing to get any of the example rewriters working (maybe due to 
> the old squid version?) so I haven't been able to test that yet. But I 
> suspect it will fail for HTTPS, because the rewritten URL will be sent 
> as GET target/something to the parent proxy, instead of CONNECT 
> target/something - I still think I'm missing something to get my squid 
> to use the forward /as a proxy/ while itself functioning in reverse.
> 
> I'll rewrite these for squid 5 and try to get URL rewriting working. In 
> the meantime, could you let me know if either of these two general 
> approaches is remotely correct and if so, what I can do to get further 
> with them?
> 
> Thanks so much! If you happen to be on StackOverflow, I've asked the 
> question with a bounty there 
> <https://stackoverflow.com/questions/73286678/reverse-proxy-with-http-inbound-https-outbound-and-parent-proxy/73293978?noredirect=1#comment129465312_73293978> 
> as well (although less squid-specific).
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list