Hi Amos, many thanks for the prompt and detailed reply.
I have made the suggested changes with some improvements.
I should have advised of the version I'm using. This is a RHEL 6 box
with v3.1.4 and I'd prefer to stick with RH if at all possible,
All nodes use static IP addresses and I control the DNS (and rDNS) for
this domain. Every node with an A record has a corresponding PTR
record.
When I browse to rhevm.test.company.com (the reverse proxy URL), I end
up being redirected to the HTTPS site, not the HTTP site. I note that
the URL has changed from rhevm.test.company.com to
virtman.test.company.com (the real FQDN). Any ideas on how I'd stop
this changing?
The node virtman.test.company.com runs two sites, one HTTP and one
HTTPS. The HTTPS site is where you are taken if you don't specify a
http:// at the beginning.
The squid.conf now looks like:
--- http_port 3128 cache_dir ufs /var/spool/squid 6444 16 256 access_log /var/log/squid/access.log ################################################################################ # Reverse proxy settings #https_port rhevm.dev.company.com:443 accel defaultsite=virtman.dev.company.com vhost http_port rhevm.dev.company.com:80 accel defaultsite=virtman.dev.company.com vhost # RHEV Manager cache_peer 10.1.102.34 parent 80 0 no-query originserver name=rhevman #cache_peer 10.1.102.34 parent 443 0 no-query originserver ssl name=rhevuser acl acl_rhevm dstdomain virtman.dev.company.com acl acl_srcrhevm src 10.1.102.34 http_access allow acl_rhevm !acl_srcrhevm cache_peer_access rhevman allow acl_rhevm cache_peer_access rhevman deny all ################################################################################ # Local traffic, is y'know, local acl acl_whitelist dstdomain .dev.company.com acl acl_virthost dst 10.1.102.8/29 acl http proto http acl vdsm port 54321 acl port_80 port 80 acl port_443 port 443 acl CONNECT method CONNECT acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports http_access allow vdsm acl_virthost http_access allow http port_80 acl_whitelist http_access allow CONNECT port_443 acl_whitelist ################################################################################ # Only the WSUS box can go to the windows update site acl acl_wsus srcdomain wsus.dev.company.com acl acl_windowsupdate dstdomain .windowsupdate.com http_access deny !acl_wsus acl_windowsupdate ################################################################################ # Normal proxy settings acl acl_intranet src 10.1.102.0/24 http_access allow acl_intranet ################################################################################ # Catch all http_access deny all cache_peer proxy.company.com parent 8200 7 no-query # Never go direct to the internet (use the BlueCoat) never_direct allow all --- Thanks again CC On Fri, Apr 29, 2011 at 2:33 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote: > On 29/04/11 17:22, Colin Coe wrote: >> >> Hi all >> >> I'm having trouble getting squid to do what I need. >> >> I'm in a test network within a corporate environment. >> >> What I want is this: >> 1) squid needs to use the corporate proxy for Internet stuff >> 2) squid should cache >> 3) squid should reverse proxy several servers (but for now only one >> actually exists) both http and https >> 4) anything destined for 10.1.102.0/24 needs to not be sent to the >> corporate proxy. >> 5) only the WSUS server is allowed to talk to *.windowsupdate.com >> >> What I get is: >> 1) Reverse proxying seems to work except that any attempts to browse a >> remote site (ie www.microsoft.com) on the host being proxied results >> in being redirected to itself. >> 2) Normal proxying seems to work (note the exception above) >> >> My config file is >> --- >> # Should be obvious >> http_port 3128 >> cache_dir ufs /var/spool/squid 6444 16 256 >> cache_access_log /var/log/squid/access.log > > NP: the directive is now just called "access_log" > >> >> >> ################################################################################ >> # Local traffic, is y'know, local >> >> acl acl_whitelist dstdomain .dev.company.com >> acl acl_virthost dst 10.1.102.8/29 >> acl http proto http >> acl vdsm port 54321 >> acl port_80 port 80 >> acl port_443 port 443 >> acl CONNECT method CONNECT >> >> http_access allow vdsm acl_virthost >> http_access allow http port_80 acl_whitelist >> http_access allow CONNECT port_443 acl_whitelist > > You are missing the default security blanket rules... > http_access deny !Safe_ports > http_access deny CONNECT !SSL_Ports > > These prevent internal clients or external attacks from getting malicious > HTTP requests past your local config settings (for example the generic > "allow acl_intranet"). > "malicious" requests are not always intentional, the internal client ones > commonly come from things as simple as embeded URLs in web adverts. > >> >> >> ################################################################################ >> # Reverse proxy settings > > NP: this reverse-proxy section should be above the local traffic section. > The http_access rules here must be first in the entire list of http_access. > >> >> #https_port rhevm.dev.company.com:443 accel >> defaultsite=https://virtman.dev.company.com vhost >> http_port rhevm.dev.company.com:80 accel >> defaultsite=http://virtman.dev.company.com vhost > > defaultsite= is the FQDN, not a full URL. The http:// part is assumed from > the "http_" directive name. > There is an additional protocol= option if the scheme needs to be something > weird (very, very rarely needed). > >> >> # RHEV Manager >> cache_peer 10.1.102.34 parent 80 0 no-query originserver name=rhevman >> #cache_peer 10.1.102.34 parent 443 0 no-query originserver ssl >> name=rhevuser >> >> acl acl_rhevm dstdomain virtman.dev.company.com >> acl acl_srcrhevm srcdomain virtman.dev.company.com >> http_access allow acl_rhevm !acl_srcrhevm > > The server itself asking the proxy for its own domain things? > > This should not matter. You want to avoid DNS lag anyway: > acl acl_srcrhevm src 10.1.102.34 > > With a cache_peer IP like that, Squid does not use DNS to connect to the > internal peer so the internal DNS view can be set to the internal server IP > if you want to avoid the internal traffic going via Squid IP. > >> >> cache_peer_access rhevman allow acl_rhevm >> cache_peer_access rhevman deny all >> always_direct allow acl_rhevm > > Remove the always_direct. It prevents the cache_peer being used and is > likely the cause of your problem. > > > NOTE: I see you have commented out some HTTPS reverse-proxy bits. > You will be interested in squid-3.1.12 with fixes for HTTPS to internal > reverse-proxy peers. > >> >> >> ################################################################################ >> # Only the WSUS box can go to the windows update site >> acl acl_windowsupdate dstdomain .windowsupdate.com >> acl acl_wsus srcdomain wsus.dev.company.com >> http_access deny !acl_wsus acl_windowsupdate > > Your use of srcdomain requires rDNS systems to be working. Is the WSUS on a > dynamic IP? > Either use the WSUS IP in a "src" ACL or switch the order of those two ACL > names on that line for faster overall processing. > > If you retain the srcdomain, ensure that the rDNS results have long TTL. It > is delaying one client request every rDNS TTL cycle. > > Also, there are a number of other WU domains you may want to add to that > list: > http://wiki.squid-cache.org/SquidFaq/WindowsUpdate > >> >> >> ################################################################################ >> # Normal proxy settings >> acl acl_intranet src 10.1.102.0/24 >> http_access allow acl_intranet >> >> >> ################################################################################ >> # Catch all >> http_access deny all >> >> cache_peer proxy.company.com parent 8200 7 no-query >> # Never go direct to the internet (use the BlueCoat) >> never_direct allow all > > These two sections look fine. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.7 and 3.1.12.1 > -- RHCE#805007969328369Received on Fri Apr 29 2011 - 07:25:57 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 29 2011 - 12:00:05 MDT