<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_quote"><div>Thank you both, Matus and Alex! Changing the name got my HTTP access working perfectly. I was stuck on HTTPS soon after, but as soon as I removed "intercept" from the Squid Parent proxy "http_port" line, I got that working.</div><div><br></div><div>You guys rock. Thanks again for that little nudge I needed to figure this out.</div><div><br></div><div>-Phillip</div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Message: 2<br>
Date: Tue, 27 Nov 2018 17:44:54 +0100<br>
From: Matus UHLAR - fantomas <<a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
Subject: Re: [squid-users] Parent proxy chaining<br>
Message-ID: <<a href="mailto:20181127164454.GA20312@fantomas.sk" target="_blank">20181127164454.GA20312@fantomas.sk</a>><br>
Content-Type: text/plain; charset=us-ascii; format=flowed<br>
<br>
On 27.11.18 08:33, Phillip McCollum wrote:<br>
>I have a deployment in AWS in where a VPC has a transparent proxy deployed,<br>
>which forwards 80/443 requests to a parent proxy in another VPC, which I<br>
>then need to forward to another parent proxy (SaaS provider).<br>
><br>
>Essentially:<br>
>[[Client PC]] --> [[Squid Proxy (10.52.0.20)]] --> [[Parent Squid Proxy<br>
>(10.52.0.168)]] --> [[Parent SaaS Proxy]]<br>
><br>
>This is being done to centralize proxy functions and limit the number of<br>
>public IPs that the parent SaaS needs to whitelist.<br>
><br>
>I'm getting "Access Denied" messages and a review of Squid Parent proxy<br>
>access.log shows the following common errors:<br>
><br>
>HTTP:<br>
>2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for:<br>
>GET / HTTP/1.1<br>
>Accept: text/html, application/xhtml+xml, image/jxr, */*<br>
>Accept-Language: en-US<br>
>User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like<br>
>Gecko<br>
>Accept-Encoding: gzip, deflate<br>
>Cookie: B=8nra62ldvb83a&b=3&s=ik<br>
>Via: 1.1 squid (squid/3.5.27)<br>
<br>
what are names of your proxies?<br>
you must set different visible_name or at least unique_name so proxy knows<br>
it's not contacting itself.<br>
<br>
>Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)<br>
> pkts bytes target prot opt in out source<br>
> destination<br>
> 0 0 REDIRECT tcp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
><a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> tcp dpt:80 redir ports 3129<br>
> 0 0 REDIRECT tcp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
><a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> tcp dpt:443 redir ports 3130<br>
> 35 2100 REDIRECT tcp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
><a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> tcp dpt:8443 redir ports 3031<br>
<br>
the intercepting (often called transparent) proxy must have direct access to<br>
world or parent proxy. Redirecting it back will create a loop.<br>
<br>
<br>
-- <br>
Matus UHLAR - fantomas, <a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> ; <a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a><br>
Warning: I wish NOT to receive e-mail advertising to this address.<br>
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.<br>
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease<br><br>
</blockquote></div></div></div></div></div>