RE: [squid-users] forward and reverse proxy in 3.1.x https forward proxy failing
> -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Monday, November 01, 2010 3:57 PM > To: Dean Weimer > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] forward and reverse proxy in 3.1.x https forward > proxy failing > > On Mon, 1 Nov 2010 12:41:44 -0500, "Dean Weimer" > wrote: > > I had an older machine that was still running 3.0 STABLE 12, that was > > functioning as a forward and reverse proxy using port 80 for both. And > a > > reverse proxy for one site on Port 443, the machine sits in a DMZ the > > forward proxy only directs about to web sites for machines connected > > through WAN connections, and functions as a reverse proxy for those > > machines when connecting to a couple internal sites. This machine had a > > hardware failure last night and I was forced to put in place the newer > > machine that had already had the software installed but wasn't > configured > > or tested yet. > > > > The problem I am having is that this machine running squid 3.1.9 > functions > > fine as both forward and reverse for http websites, and is working for > the > > reverse HTTPS site, though I had to use the sslproxy_cert_error acl > method > > to bypass a cert error, even though the cert is valid, it's not > accepting > > it. That's a minor problem though, as its functioning. The more > pressing > > problem is that HTTPS forward proxy is not working, the logs show an > error > > every time stating a connect method was received on an accelerator port. > > > > 2010/11/01 12:26:43| clientProcessRequest: Invalid Request > > 2010/11/01 12:26:44| WARNING: CONNECT method received on http > Accelerator > > port 80 > > 2010/11/01 12:26:44| WARNING: for request: CONNECT armmf.adobe.com:443 > > HTTP/1.0 > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR > > 1.1.4322) > > Host: armmf.adobe.com > > Content-Length: 0 > > Proxy-Connection: Keep-Alive > > Pragma: no-cache > > > > Is using the same port for both forward of http & https not allowed > while > > using it for a reverse proxy anymore? > > It's never been allowed. The ability in older Squid was a bug. > You will need a separate http_port line for the two modes if you want > CONNECT tunnels. > > It's a good idea to keep each of the four modes (forward, reverse, > intercept and transparent) on separate http_port. From 3.1 onwards this is > being enforced where possible. > > Amos Thanks for the reply Amos, I had came to that conclusion myself, about it not working anyways, didn't realize it was a bug that allowed it in the old version though. I have already configured an additional port and verified that worked shortly after sending the first post. The majority of our PCs browsers are set to use a configuration script, and that has been corrected with the new port. We have one application that has it in an INI file which will be delivered in our nightly polling process. Now we just have to find the machines that are incorrectly set with a manual proxy setting and have them updated. Thanks, Dean Weimer Network Administrator Orscheln Management Co
Re: [squid-users] forward and reverse proxy in 3.1.x https forward proxy failing
On Mon, 1 Nov 2010 12:41:44 -0500, "Dean Weimer" wrote: > I had an older machine that was still running 3.0 STABLE 12, that was > functioning as a forward and reverse proxy using port 80 for both. And a > reverse proxy for one site on Port 443, the machine sits in a DMZ the > forward proxy only directs about to web sites for machines connected > through WAN connections, and functions as a reverse proxy for those > machines when connecting to a couple internal sites. This machine had a > hardware failure last night and I was forced to put in place the newer > machine that had already had the software installed but wasn't configured > or tested yet. > > The problem I am having is that this machine running squid 3.1.9 functions > fine as both forward and reverse for http websites, and is working for the > reverse HTTPS site, though I had to use the sslproxy_cert_error acl method > to bypass a cert error, even though the cert is valid, it's not accepting > it. That's a minor problem though, as its functioning. The more pressing > problem is that HTTPS forward proxy is not working, the logs show an error > every time stating a connect method was received on an accelerator port. > > 2010/11/01 12:26:43| clientProcessRequest: Invalid Request > 2010/11/01 12:26:44| WARNING: CONNECT method received on http Accelerator > port 80 > 2010/11/01 12:26:44| WARNING: for request: CONNECT armmf.adobe.com:443 > HTTP/1.0 > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR > 1.1.4322) > Host: armmf.adobe.com > Content-Length: 0 > Proxy-Connection: Keep-Alive > Pragma: no-cache > > Is using the same port for both forward of http & https not allowed while > using it for a reverse proxy anymore? It's never been allowed. The ability in older Squid was a bug. You will need a separate http_port line for the two modes if you want CONNECT tunnels. It's a good idea to keep each of the four modes (forward, reverse, intercept and transparent) on separate http_port. From 3.1 onwards this is being enforced where possible. Amos
[squid-users] forward and reverse proxy in 3.1.x https forward proxy failing
I had an older machine that was still running 3.0 STABLE 12, that was functioning as a forward and reverse proxy using port 80 for both. And a reverse proxy for one site on Port 443, the machine sits in a DMZ the forward proxy only directs about to web sites for machines connected through WAN connections, and functions as a reverse proxy for those machines when connecting to a couple internal sites. This machine had a hardware failure last night and I was forced to put in place the newer machine that had already had the software installed but wasn't configured or tested yet. The problem I am having is that this machine running squid 3.1.9 functions fine as both forward and reverse for http websites, and is working for the reverse HTTPS site, though I had to use the sslproxy_cert_error acl method to bypass a cert error, even though the cert is valid, it's not accepting it. That's a minor problem though, as its functioning. The more pressing problem is that HTTPS forward proxy is not working, the logs show an error every time stating a connect method was received on an accelerator port. 2010/11/01 12:26:43| clientProcessRequest: Invalid Request 2010/11/01 12:26:44| WARNING: CONNECT method received on http Accelerator port 80 2010/11/01 12:26:44| WARNING: for request: CONNECT armmf.adobe.com:443 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: armmf.adobe.com Content-Length: 0 Proxy-Connection: Keep-Alive Pragma: no-cache Is using the same port for both forward of http & https not allowed while using it for a reverse proxy anymore? I tried adding the new allow-direct option to my http_port line with no change in behavior. Current line is: http_port 10.40.1.254:80 accel vhost allow-direct Anyone have any ideas as to what I am doing wrong here? Thanks, Dean Weimer Network Administrator Orscheln Management Co Phone: (660) 269-3448 Fax: (660) 269-3950
