forward proxy to reverse proxy to app

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

forward proxy to reverse proxy to app

Bernhard Dübi
Hi,

I try to configure squid for a very special usecase but can't get it
to work. So, if you could give me some hints on how to do it right,
that would be great

Here's what I try to achieve:

the browser has proxy:8080 configured as manual proxy
from the browser I access some websites
when the request is plain http then the reply must be a redirect to https
when the request is https then the ssl connection must be termintaed
on the proxy and the request must be forwarded as http to the
application server

I know, I could just forget about ssl an go directly the app server
with http bt the customer insists on that particular setup

we use several domains like app1.doma.com, app2.domb.biz, app3.domc.org
in order to return the correct certificate for each request, I need a
dedicated ip:port combination for each certificate

I came up with the following setup

browser -> proxy:8080 -> squid    for http://app1.doma.com ->
127.0.0.1:10081 -> haproxy -> redirect
                for https://app1.doma.com -> 127.0.0.1:10401 ->
haproxy -> terminate ssl -> app1.local.net:8123
                for http://app2.doma.com -> 127.0.0.1:10082 -> haproxy
-> redirect
                for https://app2.doma.com -> 127.0.0.1:10402 ->
haproxy -> terminate ssl -> app2.local.net:8765
                for http://app3.doma.com -> 127.0.0.1:10083 -> haproxy
-> redirect
                for https://app3.doma.com -> 127.0.0.1:10403 ->
haproxy -> terminate ssl -> app3.local.net:8888

here's the configuration I created so far

http_port 8080

# User networks
acl Users src 10.11.12.0/22

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow Users
http_access deny all
coredump_dir /var/spool/squid
cache deny all
never_direct allow all

acl to_domA dstdomain .doma.com
acl to_domB dstdomain .domb.biz
acl to_domC dstdomain .domc.org

cache_peer 127.0.0.1 parent 10081 0 name=domA_redirect no-query originserver
cache_peer_access domA_redirect allow !CONNECT to_domA
cache_peer 127.0.0.1 parent 10401 0 name=domA_ssl no-query originserver
cache_peer_access domA_ssl allow CONNECT to_domA

cache_peer 127.0.0.1 parent 10082 0 name=domB_redirect no-query originserver
cache_peer_access domB_redirect allow !CONNECT to_domB
cache_peer 127.0.0.1 parent 10402 0 name=domB_ssl no-query originserver
cache_peer_access domB_ssl allow CONNECT to_domB

cache_peer 127.0.0.1 parent 10083 0 name=domC_redirect no-query originserver
cache_peer_access domC_redirect allow !CONNECT to_domC
cache_peer 127.0.0.1 parent 10403 0 name=domC_ssl no-query originserver
cache_peer_access domC_ssl allow CONNECT to_domC



the plain http part works, squid selects the correct peer and haproxy
reponds with the redirect

ssl respectifely the CONNECT call is the problem

2017/11/17 07:56:21.429 kid1| 28,3| Checklist.cc(63) markFinished:
0x55d69a951b68 answer ALLOWED for match
2017/11/17 07:56:21.429 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0x55d69a951b68 answer=ALLOWED
2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(171)
peerCheckNeverDirectDone: peerCheckNeverDirectDone: ALLOWED
2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(177)
peerCheckNeverDirectDone: direct = DIRECT_NO (never_direct allow)
2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(441) peerSelectFoo:
CONNECT app1.doma.com
2017/11/17 07:56:21.429 kid1| 44,3| peer_select.cc(685)
peerGetSomeParent: CONNECT app1.doma.com
2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(280)
peerSelectDnsPaths: Failed to select source for 'app1.doma.com:443'
2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(281)
peerSelectDnsPaths:   always_direct = DENIED
2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(282)
peerSelectDnsPaths:    never_direct = ALLOWED
2017/11/17 07:56:21.429 kid1| 44,2| peer_select.cc(295)
peerSelectDnsPaths:        timedout = 0
2017/11/17 07:56:21.429 kid1| 26,3| tunnel.cc(1156)
tunnelPeerSelectComplete: No paths found. Aborting CONNECT
2017/11/17 07:56:21.429 kid1| 4,3| errorpage.cc(633) errorSend:
local=10.1.2.3:8080 remote=10.11.12.13:61110 FD 12 flags=1,
err=0x55d69a511528
2017/11/17 07:56:21.429 kid1| 4,2| errorpage.cc(1262) BuildContent: No
existing error page language negotiated for ERR_CANNOT_FORWARD. Using
default error file.


if it makes any difference here some details about os and squid:

root@proj-proxy:~# dpkg -l | grep squid
ii  squid                             3.5.12-1ubuntu7.4
          amd64        Full featured Web Proxy cache (HTTP proxy)
ii  squid-common                      3.5.12-1ubuntu7.4
          all          Full featured Web Proxy cache (HTTP proxy) -
common files
ii  squid-langpack                    20150704-1
          all          Localized error pages for Squid

root@proj-proxy:~# uname -a
Linux proj-proxy 4.4.0-98-generic #121-Ubuntu SMP Tue Oct 10 14:24:03
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

root@proj-proxy:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial



Many thanks for your help
Bernhard
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: forward proxy to reverse proxy to app

Amos Jeffries
Administrator
On 17/11/17 20:33, Bernhard Dübi wrote:

> Hi,
>
> I try to configure squid for a very special usecase but can't get it
> to work. So, if you could give me some hints on how to do it right,
> that would be great
>
> Here's what I try to achieve:
>
> the browser has proxy:8080 configured as manual proxy
> from the browser I access some websites
> when the request is plain http then the reply must be a redirect to https
> when the request is https then the ssl connection must be termintaed
> on the proxy and the request must be forwarded as http to the
> application server


A forward/explicit proxy like yours is required to ensure that the
security level of traffic remains unchanged across both client and
server connections. Never downgraded without explicit knowledge by both
endpoints. Bad problems ensue if you downgrade with either endpoint
thinking it is secure end-to-end.


>
> I know, I could just forget about ssl an go directly the app server
> with http bt the customer insists on that particular setup
>
> we use several domains like app1.doma.com, app2.domb.biz, app3.domc.org
> in order to return the correct certificate for each request, I need a
> dedicated ip:port combination for each certificate

That is only relevant for *reverse-proxy*, not a forward/explicit proxy
like yours.

If you have a explicit TLS connection between the clients and Squid
forward/explicit you only need a certificate confirming Squid's hostname
to the client.

If you are using SSL-Bump to decrypt the HTTPS traffic Squid can
auto-generate certificates on the client connection based on the
upstream server cert details.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users