[squid-users] Proxying webservices: modify URL externally

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 25 11:15:35 UTC 2015


On 25/09/2015 9:27 p.m., Lucas van Braam van Vloten wrote:
> Hello,
> 
> I would like to use Squid to forward requests to webservices.
> I would like to accomplish the following:
> 
> Traffic is initially directed directly to the Squid server at its
> internal address, for example:
>     http://squid.server.local/first/webservice/
> 
> The request to the actual webservice is originated from the Squid
> server, for example:
>    https://internet-webservice.example.com/soap/in/
> 

This is a very bad design. It leads to all sorts of problems with
internal URL leaking out to external clients, context and security
scoping problems, and all the secondary side effects from those.

Proxies like Squid are designed to gateway the full URL between client
and server/service.


> I can configure Squid so that internal requests are connected to the
> external webservice. Client certificate authentication is handled by
> Squid. However this is based on the FQDN only, everything that comes
> after the FQDN (the second part of the URL) is passed through to the
> external service.

This is one of the security side-effect problems. There is no solution
except to do HTTP properly.

> 
> I would like to modify the second part of the URL, so that an internal
> connection to ".../first/webservice/", is externally connected to
> ".../soap/in/"
> Everything that comes after the second part of the URL should be passed
> through as usual.
> 
> My question is: Can it be done?


Yes if you are willing to cope with all the brokenness that results.
It is called URL rewriting and is done by a helper and the
url_rewrite_program directive.


But it is far easier to do HTTP properly:
* make the public and private paths identical.
* add a cache_peer with port 443 and SSL options, and the
forcedomain=internet-webservice.example.com option to change the domain
sent.
* ensure the web service only ever uses relative URLs. It must not use
the https:// or FQDN in any of its outputs.

Amos



More information about the squid-users mailing list