[squid-users] Squid as Reverse Proxy with Parent Proxy, http inbound and https outbound
Joel Howard
jhoward at tetrascience.com
Fri Aug 12 21:13:26 UTC 2022
Gotcha - I'll upgrade to 5 shortly, but I don't think that's affecting my
confusion.
Thanks for your nitpick, I think it's actually part of the key. I followed
your suggestion, trying the parent cache_peer just on http, with the
following squid.conf.
http_port 80 accel
cache_peer 10.60.4.178 parent 3128 0 no-query no-digest name=forward
request_header_add Joel Joel
# Simplified acl
http_access allow all
cache_peer_access forward allow all
# Misc
shutdown_lifetime 1 seconds
debug_options ALL,6
I upped the log level and followed how squid transformed the request, and
saw it change
GET / to
GET its-own-hostname/
based on the Host header on the incoming request, as you pointed out.
The first problem is, the parent proxy doesn't know how to resolve that
host - it rejects the request with "Invalid URL". I need the reverse proxy
to rewrite both the host header and url to their correct target values for
the parent proxy.
I tested this via telnet to the parent proxy (since I'm still struggling to
get squid url rewriting working, will try that more later). When I sent
GET http://target-hostname/ HTTP/1.1
User-Agent: curl/7.68.0
Accept: */*
Host: target-hostname
Via: 1.1 ip-10-60-4-103 (squid/3.5.27)
Surrogate-Capability: ip-10-60-4-103="Surrogate/1.0 ESI/1.0"
X-Forwarded-For: 10.40.0.194
Cache-Control: max-age=259200
Connection: keep-alive
Joel: Joel
it works, but if I try https I get "Unsupported Request Method and
Protocol" (it so happens that the parent proxy is also a squid in this
case). I think this is expected, as the request above (https from proxy to
proxy, on behalf of http client) should have been a CONNECT followed by the
GET once the tunnel was established.
So: is squid capable of receiving the GET / to itself, sending a CONNECT
/target-hostname to the parent proxy, negotiating that connection and then
returning the result to the client? Obviously when it's functioning as a
forward proxy it can *receive* CONNECTs and handle them, but this is the
"flip" I'm still struggling with.
Thanks so much for your time, I'm learning this as I go and you've been
very helpful.
--
*Joel Howard*
Software Technical Lead
jhoward at tetrascience.com | (330) 209-5779
[image: Logo Description automatically generated]
<http://www.tetrascience.com>
<https://www.linkedin.com/company/tetrascience>
<https://twitter.com/TetraScience>
<https://www.youtube.com/channel/UCxAIGW2oF5jgJ062pax98UQ>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220812/d4e2f9c6/attachment.htm>
More information about the squid-users
mailing list