[squid-users] Squid as Reverse Proxy with Parent Proxy, http inbound and https outbound
Alex Rousskov
rousskov at measurement-factory.com
Fri Aug 12 15:18:32 UTC 2022
On 8/12/22 00:28, Joel Howard wrote:
> Thanks for the quick and detailed response! I inherited this service
> recently - would you recommend upgrading to 5? My configs are fairly
> simple, so upgrade should be easy.
I recommend not using v3. I do not have enough information about your
environment to _recommend_ a specific version to upgrade to. By default,
you should be upgrading to v5.
> Here's my desired flow - let "reverse" and "parent" represent the IPs of
> those proxies, and "target" represent the target API hostname.
>
> Application sends GET (POST, PUT, etc) http://reverse/some/path
Nitpick: That is not exactly what the application sends if reverse is a
reverse proxy. The application will send "GET /some/path" (with
"reverse" in the Host header).
> Reverse adds headers to the request
> Reverse sends the request to https://target/some/path
> using parent as a forward proxy.
I am not sure, but I suspect you will need a URL rewriter to change the
URL scheme from "http" to "https".
> I set this up outside of a docker and without trying to force ssl. The
> config below was my first attempt
Why are there suddenly two cache_peers in your configuration? Can you
simplify, at least for now, and have just one?
And why are there no [parent] proxies in your configuration? If you want
Squid to use a parent proxy, then you need a cache_peer option _without_
the originserver flag. That flag coverts Squid treatment of an HTTP
agent at the specified cache_peer address from a [forward] proxy [that
you want] to an origin server.
I would start with the following sketch:
http_port 80 accel
cache_peer 10.60.4.178 parent 3128 0 no-query no-digest
http_access ...
And then, after the above is adjusted and working as expected, add
request URL rewriting to try to change the URL scheme to https.
HTH,
Alex.
> # Reverse proxy to google.com <http://google.com>
> http_port 80 accel vhost defaultsite=www.google.com <http://www.google.com>
> cache_peer google.com <http://google.com> parent 80 0 no-query
> originserver forceddomain=www.google.com <http://www.google.com> name=target
> request_header_add Joel Joel
>
> # Simplified acl
> http_access allow all
> cache_peer_access target allow all
>
> # Parent proxy
> cache_peer 10.60.4.178 parent 3128 0 no-query default
> acl all src 0.0.0.0/0.0.0.0 <http://0.0.0.0/0.0.0.0>
> never_direct allow all
>
> This was my second attempt, using forceddomain to replace the host
> header but sending the request directly to the parent proxy. This
> results in the parent receiving GET /, which it does not understand (it
> expects GET target/somepath).
>
> # Reverse proxy directly to forward proxy google.com <http://google.com>
> http_port 80 accel vhost defaultsite=www.google.com <http://www.google.com>
> cache_peer 10.60.4.178 parent 3128 0 no-query originserver
> forceddomain=www.google.com <http://www.google.com> name=parent
> request_header_add Joel Joel
>
> # Misc
> cache deny all
> shutdown_lifetime 1 seconds
>
> I suspect this would need a url rewriter to force the url to target -
> I'm failing to get any of the example rewriters working (maybe due to
> the old squid version?) so I haven't been able to test that yet. But I
> suspect it will fail for HTTPS, because the rewritten URL will be sent
> as GET target/something to the parent proxy, instead of CONNECT
> target/something - I still think I'm missing something to get my squid
> to use the forward /as a proxy/ while itself functioning in reverse.
>
> I'll rewrite these for squid 5 and try to get URL rewriting working. In
> the meantime, could you let me know if either of these two general
> approaches is remotely correct and if so, what I can do to get further
> with them?
>
> Thanks so much! If you happen to be on StackOverflow, I've asked the
> question with a bounty there
> <https://stackoverflow.com/questions/73286678/reverse-proxy-with-http-inbound-https-outbound-and-parent-proxy/73293978?noredirect=1#comment129465312_73293978>
> as well (although less squid-specific).
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list