Re: [squid-users] Squid 3.1 and https ssl aes256 issue
On 03.06.2012 22:23, alextouch wrote: Hi this is my first post... last month I installed a linux ubuntu server 12.04 LTS machine with Squid3 in my organization. This machine works as a proxy (not transparent proxy) for the web access from clients. Proxy is connected to a gateway for internet connection. Clients are configured so that all web (http, https, ftp, socks) trafic goes through the squid proxy. All works fine, clients are able to access to all type of internet trafic, including https sites encrypted with aes128 (like gmail, or https://www1.directatrading.com/). But no client is able to access to sites encrypted with aes256 (like https://www.unicredit.it/)... the browser locks with "Connecting to https://www..."; and nothing else is displayed on the browser itself. I searched the net but I wasn't able to find a thread about this issue. squid.conf is the original one, I added only support for delay-pools and acls to deny some client to access to certain sites. But even with these options disabled, the problem is still present. Does anyone have any idea? In the standard setup like this Squid has nothing to do with the SSL or TLS operations. The browser simply opens a CONNECT tunnel through Squid. The encryption details are negotiated directly between the browser and origin server. It is most likely that your clients browsers or SSL libraries are missing AES-256 support or are getting stuck negotiating to use a version of TLS/SSL which supports it. Amos
Re: [squid-users] Reverse-proxy for site on Google AppEngine
On 05.06.2012 06:22, Will wrote: Thanks for the reply, Amos. I tried forceddomain=mysite.appspot.com, I got the same behavior. Perhaps I'm not clear on the problem. Because in China one cannot directly access a site on Google AppEngine, I setup an Apache reverse proxy server to my site on GAE, and it works very well. Now I'm thinking migrating to Squid from Apache because Squid provides rich caching. With Eliezer's help, I managed to have the basic reverse-proxy going, now when people visit 'my.public.domain.com', they get the content of 'mysite.appspot.com' which is on Google AppEngine. However, it only works for static pages. As soon as you hit a page that requires login, the browser's address bar shows 'mysite.appspot.com/login' and from that point on, all traffic goes to 'mysite.appspot.com' directly. This is where having the proxy doing auth and passing the credentials to the peer comes in. The peer never gets to the point of needing to send those redirects. Internally, when one visits a page requires login, the code redirects to the login page if one hasn't logged in. All path is relative, and it works for Apache reverse-proxy server. The Location: header of a redirect does not permit relative paths. So the peer should be emitting absolute-URLs based on the domain name it thinks the client is visiting (which is "mysite.appspot.com"). Amos
Re: [squid-users] Reverse-proxy for site on Google AppEngine
Thanks for the reply, Amos. I tried forceddomain=mysite.appspot.com, I got the same behavior. Perhaps I'm not clear on the problem. Because in China one cannot directly access a site on Google AppEngine, I setup an Apache reverse proxy server to my site on GAE, and it works very well. Now I'm thinking migrating to Squid from Apache because Squid provides rich caching. With Eliezer's help, I managed to have the basic reverse-proxy going, now when people visit 'my.public.domain.com', they get the content of 'mysite.appspot.com' which is on Google AppEngine. However, it only works for static pages. As soon as you hit a page that requires login, the browser's address bar shows 'mysite.appspot.com/login' and from that point on, all traffic goes to 'mysite.appspot.com' directly. Internally, when one visits a page requires login, the code redirects to the login page if one hasn't logged in. All path is relative, and it works for Apache reverse-proxy server. Any thoughts? Thanks, I'm using squid 3.1. My squid.conf looks like this, http_port 80 accel defaultsite=mysite.appspot.com ignore-cc cache_peer mysite.appspot.com parent 80 0 no-query originserver forceddomain=mysite.appspot.com login=PASS name=gaeAccel acl gae dstdomain my.public.domain.name mysite.appspot.com http_access allow gae http_access deny all cache_peer_access gaeAccel allow gae cache_peer_access gaeAccel deny all On Fri, Jun 1, 2012 at 7:32 PM, Amos Jeffries wrote: > On 2/06/2012 9:50 a.m., Will wrote: >> >> Hi Eliezer, >> >> Thanks for the excellent explanation. >> >> I changed the conf as you suggested, now for all static pages it works >> great, the address bar shows my.public.domain.com/page1. However, for >> any pages requiring login, it redirects to 'mysite.appspot.com', the >> address bar shows mysite.appspot.com/pagelogin, instead of >> my.public.domain.com/pagelogin which is what I want. > > > The slightly better way is to use "forcedomain=mysite.appspot.com" on the > cache_peer line. This will force the domain to be that label only when > passed to the specific peer. Inside Squid you can still handle the public > name and route pieces of the site around to other servers under the public > name as needed. > > > >> >> One main reason I want to use Squid as a reverse proxy is sites on >> Google AppEngine is blocked in China by Great Firewall. People in >> mainland China cannot access anysite.appspot.com directly. Therefore, >> if squid redirects to mysite.appspot.com, it defeats my main purpose. >> >> Any ideas? > > > There is no redirect. What you are doing is URL-rewriting using defaultsite > to do the re-write. > > You should be doing the login at Squid, and passing the credentials as > needed to the peer. (cache_peer option "login=PASS" on 3.1 and older, > "login=PASSTHRU" on 3.2+. exact text in both cases) > > Amos
Re: [squid-users] DNS Attack
On 4/06/2012 8:36 a.m., Roman Gelfand wrote: I have setup squid server to function as both forward and reverse proxy. It appears that I am getting flooded with http requests with non existant urls. Consequently, this slows down my firewall as the dns server is slowing down the query response. Is there a way to prevent dns lookup if url doesn't match the pattern? Thanks in advance Squid rejects requests with non-existant URLs as invalid HTTP syntax during parsing. There is no DNS involved there. I assume you mean the URL has a unregistered domain name and the requests are coming in with a great many different domains? Reverse-proxy requests should have 0 DNS usage. Forward-proxy should only need DNS after accepting a request for relay. There are some exceptions to that, but most networks will fit that generalization. It is achieved by reverse-proxy using dstdomain ACLs, and forward-proxy using src client IP or proxy_auth login credentials to determin traffic acceptance. DNS is not involved in any of those ACL types. This small alteration (adding localnet filter) to the basic reverse-proxy config should stop those requests no DNS involved: # reverse-proxy rules acl localdomains dstdomain example.com http_access allow localdomains http_access deny !localnet # ... other forward-proxy rules... Also; If you have "dst" in the reverse-proxy allow rules, change it to dstdomain and DNS load should vanish. Amos
