-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Monday, November 01, 2010 3:57 PM
To: Dean Weimer
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] forward and reverse proxy in 3.1.x https forward
proxy failing
On Mon, 1 Nov 2010 12:41:44 -0500, Dean Weimer dwei...@orscheln.com
wrote:
I had an older machine that was still running 3.0 STABLE 12, that was
functioning as a forward and reverse proxy using port 80 for both. And
a
reverse proxy for one site on Port 443, the machine sits in a DMZ the
forward proxy only directs about to web sites for machines connected
through WAN connections, and functions as a reverse proxy for those
machines when connecting to a couple internal sites. This machine had a
hardware failure last night and I was forced to put in place the newer
machine that had already had the software installed but wasn't
configured
or tested yet.
The problem I am having is that this machine running squid 3.1.9
functions
fine as both forward and reverse for http websites, and is working for
the
reverse HTTPS site, though I had to use the sslproxy_cert_error acl
method
to bypass a cert error, even though the cert is valid, it's not
accepting
it. That's a minor problem though, as its functioning. The more
pressing
problem is that HTTPS forward proxy is not working, the logs show an
error
every time stating a connect method was received on an accelerator port.
2010/11/01 12:26:43| clientProcessRequest: Invalid Request
2010/11/01 12:26:44| WARNING: CONNECT method received on http
Accelerator
port 80
2010/11/01 12:26:44| WARNING: for request: CONNECT armmf.adobe.com:443
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
Host: armmf.adobe.com
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
Is using the same port for both forward of http https not allowed
while
using it for a reverse proxy anymore?
It's never been allowed. The ability in older Squid was a bug.
You will need a separate http_port line for the two modes if you want
CONNECT tunnels.
It's a good idea to keep each of the four modes (forward, reverse,
intercept and transparent) on separate http_port. From 3.1 onwards this is
being enforced where possible.
Amos
Thanks for the reply Amos, I had came to that conclusion myself, about it not
working anyways, didn't realize it was a bug that allowed it in the old version
though. I have already configured an additional port and verified that worked
shortly after sending the first post. The majority of our PCs browsers are set
to use a configuration script, and that has been corrected with the new port.
We have one application that has it in an INI file which will be delivered in
our nightly polling process. Now we just have to find the machines that are
incorrectly set with a manual proxy setting and have them updated.
Thanks,
Dean Weimer
Network Administrator
Orscheln Management Co