Squid reverse proxy redirect / rewrite HTTP to HTTPS

httpsreverse-proxysquid

My Squid Reverse Proxy only accepts HTTPS requests. What is a short way to redirect/rewrite a HTTP-request to https?
So if the user visits http://foo.server.com he should be automatically redirected to https://foo.server.com

Best Answer

One way is to get the origin server to do the redirect, but it seems more efficient to get Squid to do it. There are a couple of approaches, but using deny_info seems the easiest.

In the squid.conf configuration file:

acl PORT80 myport 80
acl MYSITE dstdomain foo.server.com
http_access deny PORT80 MYSITE
deny_info 301:https://foo.server.com%R MYSITE

At first glance, the http_access statement just denies access to the HTTP version of your site. However due to the deny_info statement Squid will redirect users to an alternative site (in this case the HTTPS version) rather than simply giving an access-denied message.

The %R tag causes the request URL path to be included in the redirect, so that if users try to visit http://foo.server.com/bar then they'll get directed to https://foo.server.com/bar, rather than just https://foo.server.com.

The full list of URL format tags is available in the Squid documentation: http://www.squid-cache.org/Doc/config/deny_info/

The order of the acl statements is important because Squid only remembers the last http_access deny and looks for the deny_info to match that acl.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Ssl – Squid reverse proxy with optional SSL

UPDATE (actually tried this from my squid...):

acl is_ssl port 443
https_port 443 cert=<yourcert> key=<yourkey> accel name=site_ssl defaultsite=<y\
our_external_site>
cache_peer <your_internal_ssl> parent 443 0 no-query originserver ssl sslflags=\
DONT_VERIFY_PEER name=site_ssl
cache_peer_access site_ssl allow is_ssl
cache_peer_access site_ssl deny !is_ssl

acl nonssl port 80
http_port 80 accel defaultsite=<your_external_site>  name=site_nonssl
cache_peer <your_internal_nonssl> parent 80 0 no-query name=site_nonssl origins\
erver
cache_peer_access site_nonssl allow nonssl
cache_peer_access site_nonssl deny !is_nonssl

ORIGINAL ANSWER BELOW HERE:

you want something like

cache_peer 10.0.0.11 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=site_ssl
acl sites_server_3 dstdomain site_ssl
cache_peer_access site_ssl allow ssl_servers
http_access allow ssl_servers

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Ssl – Squid reverse proxy with optional SSL

Related Topic