reverse proxy and HTTP redirects

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

reverse proxy and HTTP redirects

Vieri Di Paola
Hi,

I configured a reverse proxy with something like this:

https_port 10.215.145.81:50443 accel cert=/etc/ssl/whatever.cer
key=/etc/ssl/whatever_key_nopassphrase.pem
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE,No_Compression
cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA25
6:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
tls-dh=/etc/ssl/whatever/dh2048.pem defaultsite=whatever.org

cache_peer 10.215.248.40 parent 8080 0 no-query originserver
login=PASS front-end-https=on name=httpsServer

[etc]

I can load the web portal just fine from a web client connecting to
10.215.145.81:50443. However, the web server then sends an HTTP
redirection to an HTTP URL which is something like
http://10.215.248.40:8080/whatever (in other words, the page is hosted
on the same server). That breaks the browsing experience (connection
reset).

If I can't modify the server code at 10.215.248.40, is there a
workaround for this?

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Amos Jeffries
Administrator
On 3/12/19 3:46 am, Vieri Di Paola wrote:

> Hi,
>
> I configured a reverse proxy with something like this:
>
> https_port 10.215.145.81:50443 accel cert=/etc/ssl/whatever.cer
> key=/etc/ssl/whatever_key_nopassphrase.pem
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE,No_Compression
> cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA25
> 6:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
> tls-dh=/etc/ssl/whatever/dh2048.pem defaultsite=whatever.org


NP: you have not configured any Elliptic Curve to be used, so all those
EC ciphers will not be usable. Also you configured some DES based
ciphers and then disable DES.


>
> cache_peer 10.215.248.40 parent 8080 0 no-query originserver
> login=PASS front-end-https=on name=httpsServer
>
> [etc]
>
> I can load the web portal just fine from a web client connecting to
> 10.215.145.81:50443. However, the web server then sends an HTTP
> redirection to an HTTP URL which is something like
> http://10.215.248.40:8080/whatever (in other words, the page is hosted
> on the same server). That breaks the browsing experience (connection
> reset).
>
> If I can't modify the server code at 10.215.248.40, is there a
> workaround for this?

You do not need to modify code anywhere.

The problem is that the client is talking to port 50443 and the service
is expecting port 8080 in URLs.

The best solution is to have the server and Squid using the same port
number. Preferably 443 for HTTPS services.

Alternatively you might be able to use the vport= option on https_port
to set the URL port to 8080. However, this affects *all* inbound traffic
at that port and any embedded URLs the service sends the client will
remain broken (contain port 8080).


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Vieri Di Paola
Hi,

On Tue, Dec 3, 2019 at 6:33 AM Amos Jeffries <[hidden email]> wrote:
>
> NP: you have not configured any Elliptic Curve to be used, so all those
> EC ciphers will not be usable. Also you configured some DES based
> ciphers and then disable DES.

I'll review that, thanks.

> The problem is that the client is talking to port 50443 and the service
> is expecting port 8080 in URLs.
>
> The best solution is to have the server and Squid using the same port
> number. Preferably 443 for HTTPS services.

I can't. Both 443 and 8080 are already in use.

> Alternatively you might be able to use the vport= option on https_port
> to set the URL port to 8080. However, this affects *all* inbound traffic
> at that port and any embedded URLs the service sends the client will
> remain broken (contain port 8080).

Whether I use vport=8080 or not, it still fails because the client
gets an HTTP redirection such as:

http://squidserver.local:50443/whatever (without vport=)

http://squidserver.local:8080/whatever (with vport=8080)

Note the http://.
So the client browser is instructed to connect to an HTTP port which
is closed/firewalled.
I would need to somehow rewrite the redirection to something like:

https://squidserver.local:50443/whatever (without vport=)

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Amos Jeffries
Administrator
On 3/12/19 10:11 pm, Vieri Di Paola wrote:

>
> Whether I use vport=8080 or not, it still fails because the client
> gets an HTTP redirection such as:
>
> http://squidserver.local:50443/whatever (without vport=)
>
> http://squidserver.local:8080/whatever (with vport=8080)
>
> Note the http://.
> So the client browser is instructed to connect to an HTTP port which
> is closed/firewalled.
> I would need to somehow rewrite the redirection to something like:
>
> https://squidserver.local:50443/whatever (without vport=)
>

Hmm, what version of Squid is this?


Can you configure "debug_options 11,2" and see what the HTTP messages
look like?

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Vieri Di Paola
> Hmm, what version of Squid is this?

3.5.27 (yes, I'm aware of the security vulnerability, but I'm unable
to upgrade right now)

> Can you configure "debug_options 11,2" and see what the HTTP messages
> look like?

Everything looks OK until I get:

2019/12/03 14:52:26.509 kid1| 11,2| http.cc(720) processReplyHeader:
HTTP Server REPLY:
---------
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=DQS7FWuX-JxNHXMZE+BHeQ2H; Path=/aida
Location: http://whatever.org:50443/whatever/security/afterLogin
Content-Length: 0
Date: Tue, 03 Dec 2019 13:52:25 GMT

Then the log ends with:

----------
2019/12/03 14:52:26.509 kid1| ctx: exit level  0
2019/12/03 14:52:26.509 kid1| 11,2| client_side.cc(1409)
sendStartOfMessage: HTTP Client local=10.215.145.81:50443
remote=10.215.144.48:54243 FD 12 flags=1
2019/12/03 14:52:26.509 kid1| 11,2| client_side.cc(1410)
sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=DQS7FWuX-JxNHXMZE+BHeQ2H; Path=/whatever
Location: http://whatever.org:50443/whatever/security/afterLogin
Content-Length: 0
Date: Tue, 03 Dec 2019 13:52:25 GMT
X-Cache: MISS from inf-fw2
X-Cache-Lookup: MISS from inf-fw2:50443
Via: 1.1 rev_aida (squid)
Connection: keep-alive


----------

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Amos Jeffries
Administrator
On 4/12/19 3:02 am, Vieri Di Paola wrote:
>> Hmm, what version of Squid is this?
>
> 3.5.27 (yes, I'm aware of the security vulnerability, but I'm unable
> to upgrade right now)
>
>> Can you configure "debug_options 11,2" and see what the HTTP messages
>> look like?
>
> Everything looks OK until I get:

I'm trying to see for myself if this is actually normal/OK - since I
don't know how familiar you are with HTTP accel mode syntax.

The requests in particular are most interesting, though what responses
are paired with each is also potentially important.



>
> 2019/12/03 14:52:26.509 kid1| 11,2| http.cc(720) processReplyHeader:
> HTTP Server REPLY:
> ---------
> HTTP/1.1 302 Moved Temporarily
...
> Location: http://whatever.org:50443/whatever/security/afterLogin

That is a very good sign. The server is using the Squid listening port
in its generated URLs.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Vieri Di Paola
On Wed, Dec 4, 2019 at 6:15 AM Amos Jeffries <[hidden email]> wrote:
>
> I'm trying to see for myself if this is actually normal/OK - since I
> don't know how familiar you are with HTTP accel mode syntax.
>
> The requests in particular are most interesting, though what responses
> are paired with each is also potentially important.

Hope it fits here. Otherwise, I'll pastebin it in another e-mail.

Here's the whole shebang:

2019/12/03 14:52:25.964 kid1| 11,2| client_side.cc(2372)
parseHttpRequest: HTTP Client local=10.215.145.81:50443
remote=10.215.144.48:54243 FD 12 flags=1
2019/12/03 14:52:25.964 kid1| 11,2| client_side.cc(2373)
parseHttpRequest: HTTP Client REQUEST:
---------
POST /whatever/j_spring_security_check HTTP/1.1
Host: intranet.mydomain.org:50443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)
Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,es-ES;q=0.6,es;q=0.4,ca;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://intranet.mydomain.org:50443/whatever/security/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Cookie: JSESSIONID=pveHPU4LMS7YcbpaFwAADdL3
Connection: keep-alive
Upgrade-Insecure-Requests: 1

redirect=&username=myuser&password=mypassword
----------
2019/12/03 14:52:25.964 kid1| 11,2| http.cc(2229) sendRequest: HTTP
Server local=10.215.248.91:49470 remote=10.215.248.40:8080 FD 17
flags=1
2019/12/03 14:52:25.964 kid1| 11,2| http.cc(2230) sendRequest: HTTP
Server REQUEST:
---------
POST /whatever/j_spring_security_check HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)
Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,es-ES;q=0.6,es;q=0.4,ca;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://intranet.mydomain.org:50443/whatever/security/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Cookie: JSESSIONID=pveHPU4LMS7YcbpaFwAADdL3
Upgrade-Insecure-Requests: 1
Host: intranet.mydomain.org:50443
Via: 1.1 rev_whatever (squid)
Surrogate-Capability: inf-fw2="Surrogate/1.0"
X-Forwarded-For: 10.215.144.48
Cache-Control: max-age=259200
Connection: keep-alive


----------
2019/12/03 14:52:26.509 kid1| ctx: enter level  0:
'https://intranet.mydomain.org:50443/whatever/j_spring_security_check'
2019/12/03 14:52:26.509 kid1| 11,2| http.cc(719) processReplyHeader:
HTTP Server local=10.215.248.91:49470 remote=10.215.248.40:8080 FD 17
flags=1
2019/12/03 14:52:26.509 kid1| 11,2| http.cc(720) processReplyHeader:
HTTP Server REPLY:
---------
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=DQS7FWuX-JxNHXMZE+BHeQ2H; Path=/whatever
Location: http://intranet.mydomain.org:50443/whatever/security/afterLogin
Content-Length: 0
Date: Tue, 03 Dec 2019 13:52:25 GMT


----------
2019/12/03 14:52:26.509 kid1| ctx: exit level  0
2019/12/03 14:52:26.509 kid1| 11,2| client_side.cc(1409)
sendStartOfMessage: HTTP Client local=10.215.145.81:50443
remote=10.215.144.48:54243 FD 12 flags=1
2019/12/03 14:52:26.509 kid1| 11,2| client_side.cc(1410)
sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=DQS7FWuX-JxNHXMZE+BHeQ2H; Path=/whatever
Location: http://intranet.mydomain.org:50443/whatever/security/afterLogin
Content-Length: 0
Date: Tue, 03 Dec 2019 13:52:25 GMT
X-Cache: MISS from inf-fw2
X-Cache-Lookup: MISS from inf-fw2:50443
Via: 1.1 rev_whatever (squid)
Connection: keep-alive


----------

> >
> > 2019/12/03 14:52:26.509 kid1| 11,2| http.cc(720) processReplyHeader:
> > HTTP Server REPLY:
> > ---------
> > HTTP/1.1 302 Moved Temporarily
> ...
> > Location: http://whatever.org:50443/whatever/security/afterLogin
>
> That is a very good sign. The server is using the Squid listening port
> in its generated URLs.

Yes, the port is fine. It's the protocol that's http instead of https.

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Vieri Di Paola
In reply to this post by Amos Jeffries
I could try to use a redirector with location_rewrite_program, but
this directive is not available anymore.
I presume I need to use url_rewrite_program instead.
I wonder if it will rewrite the "Location" header the origin server is
sending to the client browser.

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Amos Jeffries
Administrator
On 5/12/19 11:17 pm, Vieri Di Paola wrote:
> I could try to use a redirector with location_rewrite_program, but
> this directive is not available anymore.
> I presume I need to use url_rewrite_program instead.

No, that only re-writes the client requested URLs.

You can try using a rewriter on the external_acl_type helper interface.
Something like this (untested):

  external_acl_type location_rewriter %<h{Location} /path/to/rewriter
  acl bad_Location external location_rewriter

  deny_info 302:%note{location-rewrite} bad_Location
  acl 302 http_status 302
  http_reply_access deny 302 bad_Location


The idea being that you pass the helper the Location header. If that
value is http:// it produces the new URL in a response like:
  "OK location-rewrite=https://... \n"
otherwise:
  "ERR"

Since this is a Cookie based login check, you probably need to also pass
the Set-Cookie header to the helper and forward it back out as another
kv-pair so the reply_header_add directive can add that header back onto
the new Squid generated 302 message.


Alternative to his would be an eCAP module that just re-writes the
Location headers in place. That would be simpler, but requires some
coding to create the module.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Vieri Di Paola
On Thu, Dec 5, 2019 at 11:48 AM Amos Jeffries <[hidden email]> wrote:
>
> Alternative to his would be an eCAP module that just re-writes the
> Location headers in place. That would be simpler, but requires some
> coding to create the module.

Simpler, I like how that sounds...
I presume a good starting point would be:
https://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP
http://www.e-cap.org/downloads/

If you have any more hints/suggestions/quickstarts for this particular
problem with eCAP, please let me know.

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Vieri Di Paola
In reply to this post by Amos Jeffries
By the way, if I were to upgrade to Squid 4, would the following do the trick?

reply_header_add Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload" all
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Amos Jeffries
Administrator
On 6/12/19 1:41 am, Vieri Di Paola wrote:
> By the way, if I were to upgrade to Squid 4, would the following do the trick?
>
> reply_header_add Strict-Transport-Security "max-age=31536000;
> includeSubDomains; preload" all
>


Doubtful, but if you want to test it start with a very *small* max-age
value (eg max-age=60). So that if things go wrong you don't have to
throw away the domain name.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Vieri Di Paola
In reply to this post by Amos Jeffries
On Thu, Dec 5, 2019 at 11:48 AM Amos Jeffries <[hidden email]> wrote:
>
>   external_acl_type location_rewriter %<h{Location} /path/to/rewriter
>   acl bad_Location external location_rewriter
>
>   deny_info 302:%note{location-rewrite} bad_Location
>   acl 302 http_status 302
>   http_reply_access deny 302 bad_Location

Sorry to bother you again with this, but what does
"%note{location-rewrite}" mean?
I'm getting this error message:
FATAL: status 302 requires a URL on '302:%note{location-rewrite}'

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy and HTTP redirects

Vieri Di Paola
In reply to this post by Amos Jeffries
On Thu, Dec 5, 2019 at 11:48 AM Amos Jeffries <[hidden email]> wrote:
>
>   external_acl_type location_rewriter %<h{Location} /path/to/rewriter
>   acl bad_Location external location_rewriter
>
>   deny_info 302:%note{location-rewrite} bad_Location
>   acl 302 http_status 302
>   http_reply_access deny 302 bad_Location

I just read something about %note here:
http://www.squid-cache.org/Doc/config/logformat/
However, Squid 3.x doesn't seem to accept %note{location-rewrite} as a
URL placeholder for deny_info.

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users