Thank you both, Matus and Alex! Changing the name got my HTTP access working perfectly. I was stuck on HTTPS soon after, but as soon as I removed "intercept" from the Squid Parent proxy "http_port" line, I got that working.
You guys rock. Thanks again for that little nudge I needed to figure this out. -Phillip > Message: 2 > Date: Tue, 27 Nov 2018 17:44:54 +0100 > From: Matus UHLAR - fantomas <[email protected]> > To: [email protected] > Subject: Re: [squid-users] Parent proxy chaining > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii; format=flowed > > On 27.11.18 08:33, Phillip McCollum wrote: > >I have a deployment in AWS in where a VPC has a transparent proxy > deployed, > >which forwards 80/443 requests to a parent proxy in another VPC, which I > >then need to forward to another parent proxy (SaaS provider). > > > >Essentially: > >[[Client PC]] --> [[Squid Proxy (10.52.0.20)]] --> [[Parent Squid Proxy > >(10.52.0.168)]] --> [[Parent SaaS Proxy]] > > > >This is being done to centralize proxy functions and limit the number of > >public IPs that the parent SaaS needs to whitelist. > > > >I'm getting "Access Denied" messages and a review of Squid Parent proxy > >access.log shows the following common errors: > > > >HTTP: > >2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for: > >GET / HTTP/1.1 > >Accept: text/html, application/xhtml+xml, image/jxr, */* > >Accept-Language: en-US > >User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) > like > >Gecko > >Accept-Encoding: gzip, deflate > >Cookie: B=8nra62ldvb83a&b=3&s=ik > >Via: 1.1 squid (squid/3.5.27) > > what are names of your proxies? > you must set different visible_name or at least unique_name so proxy knows > it's not contacting itself. > > >Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > > destination > > 0 0 REDIRECT tcp -- * * 0.0.0.0/0 > >0.0.0.0/0 tcp dpt:80 redir ports 3129 > > 0 0 REDIRECT tcp -- * * 0.0.0.0/0 > >0.0.0.0/0 tcp dpt:443 redir ports 3130 > > 35 2100 REDIRECT tcp -- * * 0.0.0.0/0 > >0.0.0.0/0 tcp dpt:8443 redir ports 3031 > > the intercepting (often called transparent) proxy must have direct access > to > world or parent proxy. Redirecting it back will create a loop. > > > -- > Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease > >
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
