On Wed, 30 Sep 2009 12:18:47 +0200, "Michael Grimm" <michigrimm_at_gmx.de>
wrote:
> Hi everyone,
>
> I have a problem with my reverse proxy running Squid 3.0.STABLE19 in the
> following scenario:
>
> I give customers access to one of our internal web-applications running
> tomcat on port 8080 (unencrypted).
> The customer accesses the reverse proxy on port 443 (certificates are in
> place)
>
> When a customer accesses the reverse proxy for the first time he
receives:
>
> Forwarding Denied
> This cache will not forward your request because it is trying to enforce
a
> sibling relationship. Perhaps the client at xyz.xyz.xyz.xyz (THE
> CUSTOMERS IP!) is a cache which has been misconfigured.
>
> The access.log of the sever contains the following message:
> 1254302414.527 1 xyz.xyz.xyz.xyz TCP_MISS/403 2347 GET
> https://customer.mycompany.com/ - NONE/- text/html
>
> When the customer does a browser refresh, the login page appears and he
can
> work without any further error messages.
>
You have a big huge problem.
You wanted a reverse proxy. But you configured something else very weird
instead.
Also, the bug in Squid-3 which allowed this configuration to work at all
has just been fixed.
> My squid.conf contains the following entries:
> cache_mgr info_at_mycompany.com
> access_log /var/log/squid/access.log squid
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
>
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl externalnet src all
>
> acl SSL_ports port 443
> acl Safe_ports port 443
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow externalnet
>
> http_access deny all
> icp_access deny all
> htcp_access deny all
>
> https_port 443 cert=/etc/ssl/reverse_proxy/customer.mycompany.com.cert
> key=/etc/ssl/reverse_proxy/customer.mycompany.com.key
> defaultsite=customer.mycompany.com options=NO_SSLv2 accel
> cache_peer 192.168.1.50 parent 8080 0 no-query originserver
> name=tomcatapplication # 192.168.1.50 is the internal IP of the tomcat
web
> application
> acl reverse_tomcatapplication dst customer.mycompany.com
> http_access allow reverse_tomcatapplication
> cache_peer_access tomcatapplication allow reverse_tomcatapplication
> cache_peer_access tomcatapplication deny all
> http_access allow all
> miss_access allow reverse_tomcatapplication
> miss_access deny all
> http_access deny all
>
> This error always existed since I installed the reverse proxy for the
first
> time. It was no problem when few customers accessed the system. Since
this
> number will increase a lot in the near future I have to fix this.
You need to reconfigure your squid properly as a reverse proxy.
http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
Note the comment at the top of the squid configuration section "This
configuration MUST appear at the top ..."
Assuming that the above was your whole config... Erase the contents of
squid.conf and replace with only this:
cache_mgr info_at_mycompany.com
access_log /var/log/squid/access.log squid
https_port 443 accel
cert=/etc/ssl/reverse_proxy/customer.mycompany.com.cert
key=/etc/ssl/reverse_proxy/customer.mycompany.com.key
defaultsite=customer.mycompany.com options=NO_SSLv2
cache_peer 192.168.1.50 parent 8080 0 originserver no-query
name=tomcatapplication forcedomain=customer.mycompany.com
acl reverse_tomcatapplication dstdomain customer.mycompany.com
http_access allow reverse_tomcatapplication
http_access deny all
cache_peer_access tomcatapplication allow reverse_tomcatapplication
cache_peer_access tomcatapplication deny all
never_direct allow all
Amos
Received on Wed Sep 30 2009 - 22:13:42 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 01 2009 - 12:00:05 MDT