Re: [squid-users] Reverse proxy with Domino Web Server

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 26 Oct 2001 09:34:22 +0200

ng.angie@i-stt.com wrote:

> The problem I faced is that, the client browser url changed from
> <rproxy.domain.com> to <webserver.domain.com> after the domino session
> authentication (4).

Exacly, which you best solve by making your domino server think it is
named rproxy.domain.com (or whatever you want your clients to request),
not webserver.domain.com.

This can done in more ways than one

a) The server can be configured to use that name

b) The reverse proxy can be configured to not change the name of the
requested URL, relying on the server to assume the name requested.

> ==> (0) 'HTTP/1.0 302 Moved Temporarily\r\nServer:
> Lotus-Domino/5.0.8\r\nDate: Wed, 25 Oct 2001 06:09:11 GMT\r\nLocation:
> http://<webserver.domain.com>/WebMailRedirect.nsf?Open\r\nContent-Type:
> text/html\r\nSet-Cookie: DomAuthSessId=1A3343F74667DF3D4DAB31438A63BAFC;
> path=/\r\nX-Cache: MISS from <rproxy.domain.com>\r\nConnection:
> close\r\n\r\n' <==

Now, if this is your only problem with the webserver returning it's own
name rather than rproxy.domain.com then you could use the rproxy branch
<http://devel.squid-cache.org/rproxy/> where you have a redirector like
interface for rewriting Location headers.

> When we tested with another domino authentication method (normal domino
> authentication, which is not that secure), there is no HTTP 302 response,
> and the client url did not changed after the normal domino authentication.

Normal HTTP authentication I presume.

The redirection above is most likely not the only place where the server
name is used. It is quite often used to construct links within the site
as well.

> http_port 80
> https_port 443 cert=/usr/local/ssl/certs/sslcert.crt
> key=/usr/local/ssl/keys/ssl.key
> redirect_rewrites_host_header off
> acl server dst webserver.domain.com
> http_access allow server
> httpd_accel_host webserver.domain.com
> httpd_accel_single_host on
> httpd_accel_with_proxy on
> forwarded_for off

The httpd_accel_host directive may be a culpit here. It changes the URL
to be http://webserver.domain.com/...

A better approach is to add the serviced host name (the one your clients
are to request) to DNS with the IP of your reverse proxy, and to
/etc/hosts with the IP of the real server. Then set httpd_accel_host to
this name.

> Also, would like to seek for understanding on the options -
> "header_replace" . Can it been used as some work around to the issue? and
> how?

Not really. It is mostly about anonymization.

> [This e-mail is confidential and may also be privileged. If you are not the
> intended recipient, please delete it and notify us immediately; you should
> not copy or use it for any purpose, nor disclose its contents to any other
> person. Thank you.]

Sorry, but this disclaimer is worhtless as you have posted the message
in public, and by subscribing to the mailinglist consented on having it
archived on the Internet.

Regards
Henrik Nordström
Squid Hacker
Received on Fri Oct 26 2001 - 01:46:39 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:09 MST