deny_info Question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

deny_info Question

Brad Taylor-3
I'm using Squid 2.6 STABLE6 the deny_info function in the below config
worked in Squid 2.4 but is not working in 2.6 STABLE6. I get this error
message when going to http://192.168.60.19 (the squid server):

The following error was encountered:

Invalid Request
Some aspect of the HTTP Request is invalid. Possible problems:

Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
Content-Length missing for POST or PUT requests
Illegal character in hostname; underscores are not allowed
Your cache administrator is root.

------------------------------------------------------------------------
--------

Generated Tue, 15 May 2007 21:52:57 GMT by qa3 (squid/2.6.STABLE6)


I want to be redirected to https://qa3/ if coming from port 80.


My config:

http_port 80
https_port 443 cert=/etc/squid/autotask.net-11-07.pem
key=/etc/squid/autotask.net_key-11-07.pem options=NO_SSLv2
cipher=DEFAULT:!EXPORT:!LOW defaultsite=qa3
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl JS url_regex .js$
no_cache deny JS
acl CSS url_regex .css$
no_cache deny CSS
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#Suggested default:
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320
refresh_pattern -i \.jpg$    0 100% 10080
refresh_pattern -i \.gif$    0 100% 10080
refresh_pattern -i \.png$    0 100% 10080
refresh_pattern -i \.bmp$    0 100% 10080
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl CONNECT method CONNECT
acl port80 myport 80
acl port443 port 443
acl port563 port 563
acl TheOriginServer dst 192.168.60.40
#Recommended minimum configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access allow port563
http_access allow port443
http_access deny port80
http_access allow TheOriginServer
http_access deny all
http_reply_access allow all
icp_access allow all
cache_peer 192.168.60.40 parent 80 0 no-query originserver
#2.4 Squid config next 4 lines
#httpd_accel_host 192.168.60.40
#httpd_accel_port 80
#httpd_accel_single_host on
#httpd_accle_with_proxy off  
deny_info https://qa3/ port80
coredump_dir /var/spool/squid
visible_hostname qa3
logfile_rotate 9
negative_ttl 0 minutes
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: deny_info Question

Henrik Nordström
tis 2007-05-15 klockan 17:59 -0400 skrev Brad Taylor:
> I'm using Squid 2.6 STABLE6 the deny_info function in the below config
> worked in Squid 2.4 but is not working in 2.6 STABLE6. I get this error
> message when going to http://192.168.60.19 (the squid server):

If you want to be able to use the Squid server as a web server then you
need accelerator / reverse proxy mode.

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

The syntax how to use this is a bit different from earlier releases. See
the release notes. The examples in the FAQ is up to date.

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: deny_info Question

Brad Taylor-3
The Squid server is working in accelerator / reverse proxy mode. That is
working. What is not working is the deny_info option. I need that to
work to redirect anyone coming from port 80 to be redirected to an https
address. As far as I can tell the deny_info option didn't change in 2.6.

Here is my config:

http_port 80
https_port 443 cert=/etc/squid/autotask.net-11-07.pem
key=/etc/squid/autotask.net_key-11-07.pem options=NO_SSLv2
cipher=DEFAULT:!EXPORT:!LOW defaultsite=qa3 acl QUERY urlpath_regex
cgi-bin \?
no_cache deny QUERY
acl JS url_regex .js$
no_cache deny JS
acl CSS url_regex .css$
no_cache deny CSS
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server auth_param basic
credentialsttl 2 hours #Suggested default:
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320
refresh_pattern -i \.jpg$    0 100% 10080
refresh_pattern -i \.gif$    0 100% 10080
refresh_pattern -i \.png$    0 100% 10080
refresh_pattern -i \.bmp$    0 100% 10080
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst
127.0.0.0/8 acl CONNECT method CONNECT acl port80 myport 80 acl port443
port 443 acl port563 port 563 acl TheOriginServer dst 192.168.60.40
#Recommended minimum configuration:
# Only allow cachemgr access from localhost http_access allow manager
localhost http_access deny manager http_access allow port563 http_access
allow port443 http_access deny port80 http_access allow TheOriginServer
http_access deny all http_reply_access allow all icp_access allow all
cache_peer 192.168.60.40 parent 80 0 no-query originserver
#2.4 Squid config next 4 lines
#httpd_accel_host 192.168.60.40
#httpd_accel_port 80
#httpd_accel_single_host on
#httpd_accle_with_proxy off
deny_info https://qa3/ port80
coredump_dir /var/spool/squid
visible_hostname qa3
logfile_rotate 9
negative_ttl 0 minutes



-----Original Message-----
From: Henrik Nordstrom [mailto:[hidden email]]
Sent: Wednesday, May 16, 2007 8:39 AM
To: Brad Taylor
Cc: [hidden email]
Subject: Re: [squid-users] deny_info Question

tis 2007-05-15 klockan 17:59 -0400 skrev Brad Taylor:
> I'm using Squid 2.6 STABLE6 the deny_info function in the below config
> worked in Squid 2.4 but is not working in 2.6 STABLE6. I get this
error
> message when going to http://192.168.60.19 (the squid server):

If you want to be able to use the Squid server as a web server then you
need accelerator / reverse proxy mode.

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

The syntax how to use this is a bit different from earlier releases. See
the release notes. The examples in the FAQ is up to date.

Regards
Henrik
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: deny_info Question

Henrik Nordström
ons 2007-05-16 klockan 09:46 -0400 skrev Brad Taylor:
> The Squid server is working in accelerator / reverse proxy mode. That is
> working.

Can't be working with that config. An http_port (or https_port) without
any accelerator options won't accept web server requests, only proxy
requests. And the error you see is because of this, not the deny_info..

> What is not working is the deny_info option. I need that to
> work to redirect anyone coming from port 80 to be redirected to an https
> address. As far as I can tell the deny_info option didn't change in 2.6.

It didn't. The httpd_accel and http_port options did, significantly..

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: deny_info Question

Brad Taylor-3
I tried:

http_port 80 accel defaultsite=your.main.website

and that did not allow squid to start

when I tired:

http_port 80 defaultsite=your.main.website

without the "accel" it did work.

Is this site wrong: http://wiki.squid-cache.org/SquidFaq/ReverseProxy


-----Original Message-----
From: Henrik Nordstrom [mailto:[hidden email]]
Sent: Wednesday, May 16, 2007 10:58 AM
To: Brad Taylor
Cc: [hidden email]
Subject: RE: [squid-users] deny_info Question

ons 2007-05-16 klockan 09:46 -0400 skrev Brad Taylor:
> The Squid server is working in accelerator / reverse proxy mode. That
is
> working.

Can't be working with that config. An http_port (or https_port) without
any accelerator options won't accept web server requests, only proxy
requests. And the error you see is because of this, not the deny_info..

> What is not working is the deny_info option. I need that to
> work to redirect anyone coming from port 80 to be redirected to an
https
> address. As far as I can tell the deny_info option didn't change in
2.6.

It didn't. The httpd_accel and http_port options did, significantly..

Regards
Henrik
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: deny_info Question

Henrik Nordström
ons 2007-05-16 klockan 15:00 -0400 skrev Brad Taylor:

> I tried:
>
> http_port 80 accel defaultsite=your.main.website
>
> and that did not allow squid to start
>
> when I tired:
>
> http_port 80 defaultsite=your.main.website
>
> without the "accel" it did work.
>
> Is this site wrong: http://wiki.squid-cache.org/SquidFaq/ReverseProxy
Probably you are running a somewhat old version. The accel option is
entirely optional, but exists to make it more obvious what is going on..

http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-7fa129a6528d9a5c914f8dd5671668173e39e341

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Loading...