[squid-users] Parent proxy chaining
Phillip McCollum
pcmccollum at gmail.com
Tue Nov 27 22:35:21 UTC 2018
Thank you both, Matus and Alex! Changing the name got my HTTP access
working perfectly. I was stuck on HTTPS soon after, but as soon as I
removed "intercept" from the Squid Parent proxy "http_port" line, I got
that working.
You guys rock. Thanks again for that little nudge I needed to figure this
out.
-Phillip
> Message: 2
> Date: Tue, 27 Nov 2018 17:44:54 +0100
> From: Matus UHLAR - fantomas <uhlar at fantomas.sk>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Parent proxy chaining
> Message-ID: <20181127164454.GA20312 at fantomas.sk>
> Content-Type: text/plain; charset=us-ascii; format=flowed
>
> On 27.11.18 08:33, Phillip McCollum wrote:
> >I have a deployment in AWS in where a VPC has a transparent proxy
> deployed,
> >which forwards 80/443 requests to a parent proxy in another VPC, which I
> >then need to forward to another parent proxy (SaaS provider).
> >
> >Essentially:
> >[[Client PC]] --> [[Squid Proxy (10.52.0.20)]] --> [[Parent Squid Proxy
> >(10.52.0.168)]] --> [[Parent SaaS Proxy]]
> >
> >This is being done to centralize proxy functions and limit the number of
> >public IPs that the parent SaaS needs to whitelist.
> >
> >I'm getting "Access Denied" messages and a review of Squid Parent proxy
> >access.log shows the following common errors:
> >
> >HTTP:
> >2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for:
> >GET / HTTP/1.1
> >Accept: text/html, application/xhtml+xml, image/jxr, */*
> >Accept-Language: en-US
> >User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0)
> like
> >Gecko
> >Accept-Encoding: gzip, deflate
> >Cookie: B=8nra62ldvb83a&b=3&s=ik
> >Via: 1.1 squid (squid/3.5.27)
>
> what are names of your proxies?
> you must set different visible_name or at least unique_name so proxy knows
> it's not contacting itself.
>
> >Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 0 0 REDIRECT tcp -- * * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:80 redir ports 3129
> > 0 0 REDIRECT tcp -- * * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:443 redir ports 3130
> > 35 2100 REDIRECT tcp -- * * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:8443 redir ports 3031
>
> the intercepting (often called transparent) proxy must have direct access
> to
> world or parent proxy. Redirecting it back will create a loop.
>
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181127/aaed7a36/attachment.html>
More information about the squid-users
mailing list