Reverse proxy is not responding

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Reverse proxy is not responding

Kiru Pananthan
Dear Team

squid  3.1.20 reverse proxy server running on Linux Debian, This has been set up a few years before and working fine.

Recently we are planning to host a new site on our local windows server and setup for external access using squid proxy, so we tried to modify by adding the new site info in the squid config file for external access.

After modifying the config file, we are able to access the site externally but the site didn't redirect automatically to HTTPS like other sites we set up before. so I tried to remove the code lines I added in the config file to restore it to the original setting, but now all our existing site are not redirecting automatically to https.

Any idea what went wrong and how this can be refixed.

I have tried to restart the Squid service and also the server, still not working as expected





--

Kind regards,

Kirupananthan Yogalingam,
ICT Manager

Confidentiality Disclaimer: This e-mail and any attachments are confidential and intended solely for the intended addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the intended addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose, distribute or otherwise act in reliance upon any part of this e-mail or its attachments. Australian International School Malaysia and all affiliates under Taylor's Education Group  does not accept responsibility for any loss arising from unauthorised access to, or interference with, any internet communications by any third party in reliance to this email, or from the transmission of any viruses. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of   Australian International School Malaysia and all affiliates under Taylor's Education Group. Replies to this e-mail may be monitored by   Australian International School Malaysia and all affiliates under Taylor's Education Group for operational or business reasons.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Amos Jeffries
Administrator
On 18/03/18 00:22, Kiru Pananthan wrote:

> Dear Team
>
> squid  3.1.20 reverse proxy server running on Linux Debian, This has
> been set up a few years before and working fine.
>
> Recently we are planning to host a new site on our local windows server
> and setup for external access using squid proxy, so we tried to modify
> by adding the new site info in the squid config file for external access.
>
> After modifying the config file, we are able to access the site
> externally but the site didn't redirect automatically to HTTPS like
> other sites we set up before. so I tried to remove the code lines I
> added in the config file to restore it to the original setting, but now
> all our existing site are not redirecting automatically to https.
>
> Any idea what went wrong and how this can be refixed.

We will need to see what your config file contains to answer those
questions. All I can tell from this description is that probably you
missed a small vital item somewhere.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Kiru Pananthan
In reply to this post by Kiru Pananthan
Hi Amos

Thanks for your reply, here I have attached the squid config file link for your view, do I need to clear the squid cache in the squid server for it works?

Config file url


Confidentiality Disclaimer: This e-mail and any attachments are confidential and intended solely for the intended addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the intended addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose, distribute or otherwise act in reliance upon any part of this e-mail or its attachments. Australian International School Malaysia and all affiliates under Taylor's Education Group  does not accept responsibility for any loss arising from unauthorised access to, or interference with, any internet communications by any third party in reliance to this email, or from the transmission of any viruses. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of   Australian International School Malaysia and all affiliates under Taylor's Education Group. Replies to this e-mail may be monitored by   Australian International School Malaysia and all affiliates under Taylor's Education Group for operational or business reasons.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Amos Jeffries
Administrator
On 19/03/18 01:48, Kiru Pananthan wrote:
> Hi Amos
>
> Thanks for your reply, here I have attached the squid config file link
> for your view, do I need to clear the squid cache in the squid server
> for it works?

You do not have any persistent cache enabled on that proxy. Restarting
the proxy is sufficient to wipe the memory cache.


>
> Config file url
> https://goo.gl/Q4a749

What you have there is the documentation file for squid.conf. Please
remove all the empty line and comments (line beginning with #).
Then you and we will be able to see what the config actually is.



From what I could see there all your cache_peer and cache_peer_access
lines are a bit muddled up. Compare what you have there to the example
it seems to have been original copy-n-pasted from:
 <https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers>


Also, your cache_peer lines for server_5 and server_7 are identical -
same IP:port and other parameters. If that 172.23.2.99:80 is the correct
destination for both the sites_server7 and sites_server_5 domains, then
you only need one cache_peer definition.
 Otherwise that is probably your problem right there.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Kiru Pananthan
Hi Amos

Thanks for your reply,

I have restarted the squid service using the command  # /etc/init.d/squid3 restart and also reboot the Linux server too. but still, the problem exists.

I have removed the empty and # command line in the document for your review. can you please check now and provide me with some guidance 

Config file URL
 https://goo.gl/Q4a749


Confidentiality Disclaimer: This e-mail and any attachments are confidential and intended solely for the intended addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the intended addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose, distribute or otherwise act in reliance upon any part of this e-mail or its attachments. Australian International School Malaysia and all affiliates under Taylor's Education Group  does not accept responsibility for any loss arising from unauthorised access to, or interference with, any internet communications by any third party in reliance to this email, or from the transmission of any viruses. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of   Australian International School Malaysia and all affiliates under Taylor's Education Group. Replies to this e-mail may be monitored by   Australian International School Malaysia and all affiliates under Taylor's Education Group for operational or business reasons.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Amos Jeffries
Administrator
On 19/03/18 03:22, Kiru Pananthan wrote:

> Hi Amos
>
> Thanks for your reply,
>
> I have restarted the squid service using the command #
> /etc/init.d/squid3 restart and also reboot the Linux server too. but
> still, the problem exists.
> *
> *
> I have removed the empty and # command line in the document for your
> review. can you please check now and provide me with some guidance 
>

Thanks. That one is easier to read.


The domains dvr1.* dvr2.* and dashboard.* are accepted into the proxy
(by the our_sites ACL) but have nowhere to go - no cache_peer with an
allow for them. I guess those are the domains which you are seeing
failures for?


Some further cleanups you can do:

It is now clear that "cache_peer access server_6 deny all" is referring
to a non-existent cache_peer. Not an issue, but you can remove that line
to simplify things further.


The https_port line is missing accel mode flag.
 - Also, 'vhost' option is deprecated in current Squid Virtual hosting
is on by default now.

Also, since these are reverse-proxy the *_port lines should really be
listening on the same ports the peers are using (eg port 80, 443 and
8443) to avoid weird issues with Host header relayed to peers with
unexpected port 3128 or 8443 values (as sent by the clients).
 I also notice that traffic arriving in the HTTPS port has a default
domain of bookings.* assigned but the only peer which is expecting
traffic on/from port 8443 is the one for library.* domain. It may be
worthwhile removing the defaultsite= option entirely.



You still have the muddled peer lines making that config hard to read.
By that I mean your "acl sites_server_*" definitions are grouped amidst
cache_peer* lines for a peer which that ACL has nothing to do with.
Re-ordering those would be useful for future maintenance.

Also, the issue with server_5 and server_7 being identical is still
there. It is even more clear now that they are truly duplicates in all
respects, from cache_peer line to the server_sites_* ACLs. One of them
should be removed.


Your custom http_access line should be placed at the spot which
currently says "http_access allow localhost".


In fact, what I recommend is to move the "http_access deny all" line
down below the cache_peer config block. Then you can use the
sites_server_N ACLs to do an "http_access allow sites_server_*" instead
of duplicating domain names in that our_sites ACL.
 This way you can be sure only the traffic which has a cache_peer to go
to is allowed into the proxy at all and the reverse: all traffic which
has a peer to go to is allowed. That may be helpful to avoid this
situation repeating in future.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Kiru Pananthan
Hi Amos

Thanks for your time and the information you shared, Great. I Have modified the line you have requested to remove, but few other points you have highlighted I am unsure about it, as I am new to squid and coding, can you please correct me on my question if possible. 

1. I have removed the dvr 1 to dvr 4 from code

2. I have removed the "cache_peer access server_6 deny all"

3. Unsure about the  < The https_port line is missing accel mode flag. - Also, 'vhost' option is deprecated in current Squid Virtual hosting is on by default now. > 
What changed i need to do for this ? need your help on this

4. defaultsite= option remove - Which line is this I need to removed

5. I have reordered the acl sites_server_

Config file URL
 https://goo.gl/Q4a749


Confidentiality Disclaimer: This e-mail and any attachments are confidential and intended solely for the intended addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the intended addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose, distribute or otherwise act in reliance upon any part of this e-mail or its attachments. Australian International School Malaysia and all affiliates under Taylor's Education Group  does not accept responsibility for any loss arising from unauthorised access to, or interference with, any internet communications by any third party in reliance to this email, or from the transmission of any viruses. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of   Australian International School Malaysia and all affiliates under Taylor's Education Group. Replies to this e-mail may be monitored by   Australian International School Malaysia and all affiliates under Taylor's Education Group for operational or business reasons.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Amos Jeffries
Administrator
On 19/03/18 11:22, Kiru Pananthan wrote:
> Hi Amos
>
> Thanks for your time and the information you shared, Great. I Have
> modified the line you have requested to remove, but few other points you
> have highlighted I am unsure about it, as I am new to squid and coding,
> can you please correct me on my question if possible. 
>
> 1. I have removed the dvr 1 to dvr 4 from code
>

Okay, that leaves the dashboard.* domain with that problem.

>
> 3. Unsure about the  < The https_port line is missing accel mode flag. -
> Also, 'vhost' option is deprecated in current Squid Virtual hosting is
> on by default now. > 
> What changed i need to do for this ? need your help on this

Add 'accel' after the port number on the https_port line and remove
vhost from both *_port lines.

>
> 4. defaultsite= option remove - Which line is this I need to removed
>

On the end of the https_port line.


> 5. I have reordered the acl sites_server_
>

Those look different but still all out of place and worse than before
now some ACLs are undefined before first use.

For example look at all the lines containing "server_2" - they should
all be together like this:

  cache_peer ... name=server_2
  acl sites_server_2 ...
  http_access allow sites_server_2
  cache_peer_access server_2 allow sites_server_2

* 'acl' line must go above both *_access lines that mention it.
* 'cache_peer' line must go above all 'cache_peer_access' lines that
mention it.


Please also run "squid -k parse" and see if it displays any ERROR or
FATAL issues when changing the config file. This version should have
found some FATAL issues with those ACL definitions.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Kiru Pananthan
Hi Amos

I have removed *. dashboard and also timetable which is not in use.

I have added the accel after port number and removed vhost as per your advice. Can you check the file now, am I good to go. I have not yet run the query  "squid -k parse" , later will run it and update you on the outcome. I need to update the config file in server once your verify the config file for me to run the query

So basically I set this config file for below url, All this should able to access through https by auto redirec from http to https.



Config file URL
 https://goo.gl/Q4a749

--

Kind regards,

Kirupananthan Yogalingam,
ICT Manager
----------------------------------------------------------------------------------------------------------
Australian International School Malaysia (AISM)
No.22 Jalan Anggerik, 
The Mines Resort City,
43300 Seri Kembangan, 
Selangor, Malaysia.



T: +60 3 8949 5000 F: +60 3 8949 5100 
E[hidden email] W: http://www.aism.edu.my/
Direct Line: +60-3-8949 5055
----------------------------------------------------------------------------------------------------------

 






Confidentiality Disclaimer: This e-mail and any attachments are confidential and intended solely for the intended addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the intended addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose, distribute or otherwise act in reliance upon any part of this e-mail or its attachments. Australian International School Malaysia and all affiliates under Taylor's Education Group  does not accept responsibility for any loss arising from unauthorised access to, or interference with, any internet communications by any third party in reliance to this email, or from the transmission of any viruses. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of   Australian International School Malaysia and all affiliates under Taylor's Education Group. Replies to this e-mail may be monitored by   Australian International School Malaysia and all affiliates under Taylor's Education Group for operational or business reasons.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Kiru Pananthan
In reply to this post by Amos Jeffries
Hi Amos

I have run the command of "squid -k parse" and attached output in the config file link 
Config file URL
 https://goo.gl/Q4a749


Confidentiality Disclaimer: This e-mail and any attachments are confidential and intended solely for the intended addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the intended addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose, distribute or otherwise act in reliance upon any part of this e-mail or its attachments. Australian International School Malaysia and all affiliates under Taylor's Education Group  does not accept responsibility for any loss arising from unauthorised access to, or interference with, any internet communications by any third party in reliance to this email, or from the transmission of any viruses. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of   Australian International School Malaysia and all affiliates under Taylor's Education Group. Replies to this e-mail may be monitored by   Australian International School Malaysia and all affiliates under Taylor's Education Group for operational or business reasons.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Amos Jeffries
Administrator
On 20/03/18 03:40, Kiru Pananthan wrote:
> Hi Amos
>
> I have run the command of "squid -k parse" and attached output in the
> config file link 
> Config file URL
>  https://goo.gl/Q4a749
>

You see anything looking odd in that output?

Many of the wrong syntax things I have mentioned should also be
mentioned there in one form or another. eg the server_6 missing I see in
that image, and acl line not being before first use last time around
would have had a big fat FATAL line.

I asked you to run that so you can use it yourself in future without
having to rely on me/us for the simple stuff. It is not complete by any
means, but does get updated each release where config changed. So it is
best practice to run that and fix anything shown when editing squid.conf
or upgrading the proxy before restart/reconfigure happens to the
production service.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxy is not responding

Amos Jeffries
Administrator
In reply to this post by Kiru Pananthan
On 19/03/18 19:13, Kiru Pananthan wrote:
> Hi Amos
>
> I have removed *. dashboard and also timetable which is not in use.
>
> I have added the accel after port number and removed vhost as per your
> advice. Can you check the file now, am I good to go. I have not yet run
> the query  "squid -k parse" , later will run it and update you on the
> outcome. I need to update the config file in server once your verify the
> config file for me to run the query

Okay, though of course backup the config running now before you change
it. I have been known to be wrong sometimes.

>
> So basically I set this config file for below url, All this should able
> to access through https by auto redirec from http to https.

Um, lets be clear. "redirect" means something other than what you are
doing. Your traffic is still very much clear-text HTTP on the
client/"external" side of the network. What you have is secure
connections between the proxy and peer servers (ie the *internal* network).

To have a "redirect" the proxy would be responding to all incoming
http:// URLs with a 302 message telling the client to re-try with
https:// instead. If you want that to happen it is easy enough, but
another step additional to the bit we have been trying to get working so
far.


>
> Portal.aism.edu.my <http://Portal.aism.edu.my>
> Helpdesk.aism.edu.my <http://Helpdesk.aism.edu.my>
> Booking.aism.edu.my <http://Booking.aism.edu.my>
>
>
> Config file URL
>  https://goo.gl/Q4a749
>

Your config also proxies the bookings* and library.* domains.

Related to those your last "acl" line looks kind of odd:
  acl sites_server_2 dstdomain library.*

Is the server_2 peer accepting library.* domain as well as bookings.* ?


Your "deny all" lines for this smaller config now should be:

 cache_peer_access server_1  deny all
 cache_peer_access server_2  deny all
 cache_peer_access lib_1_SSL deny all
 cache_peer_access lib_1     deny all

 http_access deny all


(you see why its useful to group all the liens about a server together?
these should not have been able to be missed by your last edit).


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users