On 22.03.2012 12:20, Cliff Hill wrote:
> I'm hoping someone can help me here. I'm a bit stumped. I recently
> upgraded my Squid 3.1 to Squid 3.2.0.16, because I am attempting to
> be
> able to have deny_info with the new URL formatting for my reverse
> proxy configurations so that I can pass whatever someone uses with
> http:// to be transformed automatically into https://.
>
> Anyway, here's the problem I'm having -- after building and deploying
> my squid 3.2 server successfully, I no longer am getting a redirect
> performed at all on my browsers. Without changing the relevant
> components of my squid.conf file from how they worked in 3.1, they
> just aren't working in 3.2 at all.
>
> Here's some details -- squid.conf contains the following:
>
>> http_port 80 accel defaultsite=darkhelm.org
>> ...
>> cache_peer 10.18.75.1 parent 80 0 no-query originserver login=PASS
>> name=xlorep
>> acl sites_xlorep url_regex ^https://xlorep\.darkhelm\.org
>> cache_peer_access xlorep allow sites_xlorep
>> http_access allow sites_xlorep
Equivalent to:
acl HTTPS proto HTTPS
acl xlorep dstdomain xlorep.darkhelm.org
cache_peer_access xlorep allow HTTPS xlorep
http_access allow HTTPS xlorep
>> acl http_xlorep url_regex ^http://xlorep\.darkhelm\.org
>> http_access deny http_xlorep
>> deny_info https://xlorep.darkhelm.org http_xlorep
>> ...
<snip>
NOTE: both of these regex should never have matched in 3.1. defaultsite
explicitly forces the URI to be "http://darkhelm.org/..." unless you the
vhost option is enabled. It is disabled by default on 3.1 and older.
3.2 uses HTTP/1.1 where vhost is enabled by default. So the regex ACL
might start operating now as you seem to have intended them to.
>
> I'm running this all on a Debian Squeeze server.
>
> When I telnet to the squid server, and make a get request for
> http://xlorep.darkhelm.org, I get the following:
>
>> root_at_morsh:/etc/squid3# telnet localhost 3128
>> Trying ::1...
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> GET http://xlorep.darkhelm.org
An HTTP "0.9" format request. HTTP validation is not done beyond the
URL parsing.
>> HTTP/1.1 302 Moved Temporarily
>> Server: squid/3.2.0.16
>> Mime-Version: 1.0
>> Date: Wed, 21 Mar 2012 23:14:25 GMT
>> Content-Type: text/html
>> Content-Length: 0
>> Location: https://xlorep.darkhelm.org
>> X-Squid-Error: 403 Access Denied
>> X-Cache: MISS from morsh
>> X-Cache-Lookup: NONE from morsh:80
>> Via: 1.1 morsh (squid/3.2.0.16)
>> Connection: close
>>
>>
>> Connection closed by foreign host.
>
>
> which appears to me to be what I need it to be, a redirect request
> that sends me to the corrected address.
Confirmed. It is working.
>
> However whenever I try to go there with a web browser, it just hangs,
> and never actually gets redirected.
>
> Right now, I just want it to simply redirect http:// to https:// for
> my cache_peers. Can anyone help me?
With the above config...
. The client sends traffic to Squid via port 80. Meaning client<->squid
traffic is plain HTTP.
.. Your access control and deny_info bounces the client to an
"https://" URI.
... The client should then dutifully connect to port 443 (HTTPS).
What happens then? your displayed config does not show.
Amos
Received on Thu Mar 22 2012 - 00:10:58 MDT
This archive was generated by hypermail 2.2.0 : Thu Mar 22 2012 - 12:00:03 MDT