Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Squid, Perl, and Reverse Proxy, Oh My!
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
0day
n00b
n00b


Joined: 20 Apr 2005
Posts: 22
PostPosted: Tue Dec 06, 2005 5:17 pm    Post subject: Squid, Perl, and Reverse Proxy, Oh My! Reply with quote
Top O' tha Morn! :lol:

I'm currently trying to setup a reverse proxy using squid to access five web servers with the following configuration:

Server 1: Unknown Appliance Webserver with ActiveX Plugins on port 8888
Server 2: Apache/PHP Webserver which runs on port 80
Server 3: Apache/JDK Webserver on port 8080
Server 4: IIS Webserver on port 80
Server 5: Apache which runs on port 81 on the same server as squid

Here's what I have so far:

/etc/squid/squid.conf
Code:

http_port 80
icp_port 0

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

redirect_program /usr/local/bin/redirect.pl
redirect_children 10
redirect_rewrites_host_header off

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnetB src 10.0.0.0/255.255.0.0
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 81          # http localhost
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow all
# And finally deny all other access to this proxy
http_access deny all

httpd_accel_host virtual
httpd_accel_port 0
httpd_accel_single_host off
httpd_accel_with_proxy off
httpd_accel_uses_host_header on

logfile_rotate 10
forwarded_for off


And here is the code for the /usr/local/bin/redirect.pl script to redirect to the correct server:

Code:

#!/usr/bin/perl
$|=1;
while (<>) {
   s@http://www.publicsite.com/serverone@http://serverone:8888@i; #Server 1
   s@http://www.publicsite.com/servertwo@http://servertwo@i; #Server 2
   s@http://www.publicsite.com/serverthree@http://serverthree:8080/menu/login/login.jsp@i; #Server 3
   s@http://www.publicsite.com/serverfour@http://forest/iis/asp/login.aspx@i; #Server 4
   s@http://www.publicsite.com@http://localhost:81@i; # Server 5
   print;
}


Initally, all 5 servers go to the correct destination. So if I type in the URL:
Code:

http://www.publicsite.com/serverthree

The perl script will redirect it to the internal server:
Code:

http://serverthree:8080/menu/login/login.jsp

The problem I'm having is that any time you try to click on a link on any of the first four servers after the initial redirect, the URL changes. For example we are currently in the login.jsp page and we click on the login hyperlink which sends us to http://serverthree:8080/main/mainpage.jsp
[code]


Obviously the perl script sees no need to redirect again causing the URL to look on localhost:81 wchich causes a page cannot be displayed message. So this leads me to my question:

How do I need to write my perl script so that when for example I go to:
[code]
http://www.publicsite.com/serverfour
[/code]
The website will know to go to Server 4 inside the LAN and STAY THERE when any links are clicked on instead of going back to localhost:81?
Do I need to be utilizing a different method?

Thanks for any help in advance! :D

Best Regards,

William McCloud
Back to top
View user's profile Send private message
think4urs11
Bodhisattva
Bodhisattva


Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
PostPosted: Tue Dec 06, 2005 10:09 pm    Post subject: Reply with quote
adopted from of our redirectors, should do the trick (though untested)

Code:
#!/usr/bin/perl
$|=1;
while (<>) {
    @X = split;
    $url = $X[0];
    if ($url =~ /^http:\/\/www.publicsite.com\/serverone\/?$/) {
        $url = 'http://serverone:8888';
        print "302:$url\n";    }
    elsif ($url =~ /^http:\/\/www.publicsite.com\/servertwo\/?$/) {
        $url = 'https://servertwo/';
        print "302:$url\n";    }
    elsif ($url =~ /^http:\/\/www.publicsite.com\/serverthree\/?$/) {
        $url = 'http://serverthree:8080/menu/login/login.jsp';
        print "302:$url\n";    }
    elsif ($url =~ /^http:\/\/www.publicsite.com\/serverfour\/?$/) {
        $url = 'http://forest/iis/asp/login.aspx';
        print "302:$url\n";    }
    elsif ($url =~ /^http:\/\/www.publicsite.com/) {
        $url = 'http://www.publicsite.com:81';
        print "302:$url\n";    }
    else {
        print "$url\n";    }
}

_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself
Back to top
View user's profile Send private message
0day
n00b
n00b


Joined: 20 Apr 2005
Posts: 22
PostPosted: Wed Dec 07, 2005 3:54 pm    Post subject: Reply with quote
Good morning,

Thanks for the reply. The script that was provided works ok when you're going to the site if you're in the LAN, but if I'm on the internet it doesn't work. Unfortunately the primary use of this functionality would be to access internal web servers from the internet. Do you have any other suggestions? Also, could you explain what exactly the perl code is doing in order to get a better sesne for debugging? Thanks in advance!

William McCloud :D
Back to top
View user's profile Send private message
think4urs11
Bodhisattva
Bodhisattva


Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
PostPosted: Wed Dec 07, 2005 9:57 pm    Post subject: Reply with quote
0day wrote:
Thanks for the reply. The script that was provided works ok when you're going to the site if you're in the LAN, but if I'm on the internet it doesn't work. Unfortunately the primary use of this functionality would be to access internal web servers from the internet. Do you have any other suggestions?

Of course i have

I assume the servers serverone/servertwo/serverthree/forest are neither directly accessible nor resolvable from internet side, correct?
You need to assure that the machine running squid CAN resolve them by name (as written in the perl script, e.g. by adding them to /etc/hosts on the squid box) - they even can have RFC1918 addresses (10.x.y.z/192.168.x.y/...), doesn't matter; as long as the squid machine can reach them.


About the 302... wrote:
The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests

_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy