LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-19-2012, 11:39 PM   #1
4Paul4
Member
 
Registered: Jul 2011
Posts: 51

Rep: Reputation: Disabled
Squid custom error pages


I am trying to setup a customer error page for our squid reverse proxy.
We have IP-Whitelisted some of our websites allowing potential customers to 'request a demo' after which their IP addresses will be added to the whitelist.
Case 1:
A customer visits our website (http://demo.oursite.com) without being in the whitelist
Result:
Code:
The following error was encountered while trying to retrieve the URL: http://demo.oursite.com
Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches.... etc
(squid/3.0.STABLE26)
Case2:
Customer tries to access the following (https://demo.oursite.com)
Result:
Site does not load for them at all. Website unavailable message generated by their browser.

Rather than seeing these results, we would like them to see our custom html file telling them to request a demo.
I have tried editing the error message in the file on the sever, restarting squid but it still displays the same old message.

Tail of /var/logs/cache.log:
Code:
Every 2.0s: tail /var/logs/cache.log                                                                                                  Wed Jun 20 04:22:37 2012

Y29t
-----END SSL SESSION PARAMETERS-----
2012/06/20 04:22:33| Failed to select source for 'http://demo.oursite.com/'
2012/06/20 04:22:33|   always_direct = 0
2012/06/20 04:22:33|    never_direct = 0
2012/06/20 04:22:33|        timedout = 0
2012/06/20 04:22:34| Failed to select source for 'http://demo.oursite.com/favicon.ico'
2012/06/20 04:22:34|   always_direct = 0
2012/06/20 04:22:34|    never_direct = 0
2012/06/20 04:22:34|        timedout = 0
Two Questions:

1) I would like the same effect whether they connect through HTTPS or HTTP. Why is it not connecting at all via HTTPS and showing the error message via HTTP?

2) Other than edit the error message file, what else must I do to get the customer error message displayed?

squid.conf

Code:
#ACLS and Debug options
debug_options ALL,1 33,2 28, 9
acl publicall src 0.0.0.0/0
acl darwinsrc 1x.xx.xx.xx
acl geelong src 2x.xx.xx.xx

#SSL Setup
visible_hostname oursite.com
http_port 80 accel vhost
https_port 443 accel cert=/usr/newrprgate/CertAuth/cert.cert key=/usr/newrprgate/CertAuth/key.pem vhost defaultsite=www.oursite.com
forwarded_for on

#Demo Site
cache_peer demo.oursite.com parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=demo
acl sites_demo dstdomain demo.oursite.com
cache_peer_access demo allow sites_demo darwin
cache_peer_access demo allow sites_demo geelong
cache_peer_access demo deny publicall
acl https proto https

<Other Sites Omitted>

acl https proto https
http_access allow all


access_log /var/log/squid/access.log
cache_mgr support@oursite.com

Last edited by 4Paul4; 06-20-2012 at 11:15 PM. Reason: fixed typos
 
Old 06-20-2012, 12:03 PM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,897

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
Quote:
Two Questions:

1) I would like the same effect whether they connect through HTTPS or HTTP. Why is it not connecting at all via HTTPS and showing the error message via HTTP?

2) Other than edit the error message file, what else must I do to get the customer error message displayed?
1. I'm not familiar with squid reverse proxy setup for a SSL backend, but from the documentation, looks like you need to use the same name in cache_peer_access as the one defined in cache_peer (that is "demo" in your case). So you should have:
Code:
cache_peer_access demo allow sites_demo darwin
cache_peer_access demo allow sites_demo geelong
cache_peer_access demo deny publicall
2. Have a look at the deny_info directive

Regards

Last edited by bathory; 06-21-2012 at 02:47 AM. Reason: OP request
 
1 members found this post helpful.
Old 06-21-2012, 02:00 AM   #3
4Paul4
Member
 
Registered: Jul 2011
Posts: 51

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by bathory View Post
1. I'm not familiar with squid reverse proxy setup for a SSL backend, but from the documentation, looks like you need to use the same name in cache_peer_access as the one defined in cache_peer (that is "demo" in your case). So you should have:

2. Have a look at the deny_info directive

Regards
Hi bathory,

Sorry, that was a typo. They are all indeed demo.
I've got it sorted anyway, I just edited templates/ERR_CANNOT_FORWARD to contain the custom error message.

This works fine for http connections. Now all I need is to get https://demo.example.com to redirect to the error page instead of just timing out which it does now.

So right now, everything within the whitelist is working as expected. For everyone else, HTTP:// connections redirect to our custom error page as expected but HTTPS:// connections time out.

What do I have to change to make https connections forward to the error page also?
Is there something like https_access allow all?

Cheers
 
Old 06-21-2012, 03:24 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,897

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
Quote:
This works fine for http connections. Now all I need is to get https://demo.example.com to redirect to the error page instead of just timing out which it does now.
Timeout means that squid cannot access the backend server through the specific port.
Anyway in this case, I guess you can change the ERR_CONNECT_FAIL page to your likings

Regards
 
1 members found this post helpful.
Old 06-21-2012, 07:03 PM   #5
4Paul4
Member
 
Registered: Jul 2011
Posts: 51

Original Poster
Rep: Reputation: Disabled
Unhappy

Quote:
Originally Posted by bathory View Post
Timeout means that squid cannot access the backend server through the specific port.
Anyway in this case, I guess you can change the ERR_CONNECT_FAIL page to your likings

Regards
The thing is, there is no error message showing up at all for https. I am not seeing the ERR_CONNECT_FAIL message, the page just keeps loading until I see the web browser's builtin 'cannot connect' message.

Also, within the white-listed IP addresses, clients are able to connect via HTTPS perfectly.

If I attempt to connect via http outside of the whitelist, I get the custom error page and the following appears in the /var/logs/cache.log:
Code:
2012/06/22 00:04:49| Failed to select source for 'http://demo.example.com/'
2012/06/22 00:04:49|   always_direct = 0
2012/06/22 00:04:49|    never_direct = 0
2012/06/22 00:04:49|        timedout = 0
But if I try to connect via HTTPS, nothing appears at all.

EDIT:

I found the problem. After re-reading my post, I decided to nmap the server and found only port 80 visible. It turns out i had a firewall-like system blocking it. All working fine now.

Thanks for the reply.

Last edited by 4Paul4; 06-21-2012 at 07:20 PM. Reason: id10t error
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
squid error pages ninja master Linux - Software 3 01-30-2012 06:32 AM
LXer: Creating Custom Man Pages LXer Syndicated Linux News 0 09-09-2010 03:41 PM
changing the default squid error pages espiya7 Linux - Networking 4 08-09-2007 07:08 AM
A unknown error accesing https pages... Would be the squid.conf guilty?? mnfjzog Linux - General 1 11-14-2003 04:01 PM
Displaying custom error pages charliecb2 Linux - Newbie 1 03-09-2002 07:20 AM


All times are GMT -5. The time now is 10:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration