On Fri, 5 Dec 2003, Jesse Reynolds wrote:
Why do redirectors worsen the situation?
Depends on what the redirector does. Provided it only adds options to the URL and does not modify the URL there is no problem.
But if the redirector modifies the host compontent of the URL or the URL-path then there is even less information to the web server/application on what the original URL was in the browser and a bigger risk for mismatches.
We change the hostname and port of the URL in the redirector. We have to do this because we have different backend web servers for different paths (eg www.host.com/app1 is redirected to internalhost.host.com:8080/app1 )
Isn't this the purpose of a rediretor when squid is in accelerator mode?
We are on 2.5 so can't use Front-End-Https: unfortuntaly, but that sounds more elegant that what we're doing. We have gone ahead and are tacking a SSL=1 param on the end of the URLs if they were accessed with HTTPS, this is working well for us, if a bit ugly.
Another option which you might be able to try is to rewrite the URLs into https:// and configure the web server as a parent proxy (but remember to disable server-side persistent connections). This will make Squid send the full URL to the server including protocol, not only the URL-path + query.
Ah, interesting. Can you do this in combination with a redirector to separate different path to host relationships? ... Wouldn't the web server try and encrypt the response if it gets a https? Or does it decide whether to encrypt or not based other headers?
Jesse
--
::: Jesse Reynolds +61 (0)414 669 790 ::: AIM - jessedreynolds ::: ::: Virtual Artists Pty Ltd, Adelaide ::: http://www.va.com.au :::
