It's all about the answers!

Ask a question

How to use Squid proxy as reverse proxy server for RTC SCM operations.


Gaurav verma (1312) | asked Jun 21 '18, 6:27 a.m.
edited Jun 22 '18, 4:29 a.m. by Ralph Schoon (63.5k33646)

 Hi Sam, Thanks for above mentioned answers and notes.

 

I tried following the way defined in this article  https://jazz.net/library/article/325 for configuring a Squid proxy (ver 3.5) to work as a reverse proxy for all my RTC SCM operations (RTC ver 6.0.3). After configuring my Squid.conf file like this <o:p> </o:p>

--------------------------------------------------------------------------------------------------------------------------------------------------- <o:p> </o:p>

https_port 443 cert=/cygdrive/C/squid/certs/server.pem accel key=/cygdrive/C/squid/certs/privkey.pem <o:p> </o:p>

cache_peer 80.231.143.40 parent 443 0 no-query originserver name=httpsAccel ssl login=PASSTHRU sslflags=DONT_VERIFY_PEER <o:p> </o:p>

cache_peer_access httpsAccel allow all <o:p> </o:p>

cache_replacement_policy heap GDSF <o:p> </o:p>

memory_replacement_policy heap GDSF <o:p> </o:p>

cache_dir aufs /cygdrive/C/squid/cachedir 800480 256 256 <o:p> </o:p>

cache_mem 200000 MB <o:p> </o:p>

cache_store_log none <o:p> </o:p>

coredump_dir /cygdrive/C/squid/coredump <o:p> </o:p>

refresh_pattern .                      0          20%     4320 <o:p> </o:p>

cachemgr_passwd disable all <o:p> </o:p>

maximum_object_size 4096 MB <o:p> </o:p>

maximum_object_size_in_memory 8 MB <o:p> </o:p>

buffered_logs on <o:p> </o:p>

visible_hostname localhost <o:p> </o:p>

max_filedescriptors 3200 <o:p> </o:p>

logfile_rotate 7 <o:p> </o:p>

http_port 3128 <o:p> </o:p>

----------------------------------------------------------------------------------------------------------------------------------------------------- <o:p> </o:p>

I am unable to connect my RTC client using the Repository connection URL https://10.30.80.9:443/ccm <o:p> </o:p>

 

ERROR: he error says unable to find server, make sure your server is up and running <o:p> </o:p>

 

Also when I tried to verify the Squid via Curl command curl -k https://10.30.80.9:443/ccm/service -v -u jtsadmin <o:p> </o:p>



<o:p> </o:p>

it gave this message  <o:p> </o:p>



<o:p> </o:p>

STATE INIT -> Connect handle 0x6000704e0 line 1404 <connection= -5000> <o:p> </o:p>

Added connection 0. The Cache now contains 1 members <o:p> </o:p>

trying 10.30.80.9... <o:p> </o:p>

TCP_Nodelay set <o:p> </o:p>

STATE: CONNECT  -> WAITCONNECT handle 0x6000704e0 line 1456 <connection #0> <o:p> </o:p>

 

Note: The URL https://80.231.132.40/ccm for real RTC server is actually a Natted IP. And port 443 is used instead 9443 by this URL. <o:p> </o:p>

 

I want to ask that whether my Squid.conf file is correct? <o:p> </o:p>

 

or I need to check for the correct URL? <o:p> </o:p>

 

Accepted answer


permanent link
Kamal Kumar (16) | answered Jun 22 '18, 2:15 a.m.
JAZZ DEVELOPER

@Gaurav Verma, If you see either 40x or 302 as the response code when you run CURL, your proxy is working as expected. From your above output I see it not working correctly.
From the configuration, I see RTC is running on port 443, please confirm.

Below is the configuration from my working setup:

cache_replacement_policy heap GDSF

memory_replacement_policy heap GDSF

cache_dir aufs /var/cache/squid 10240 256 256

cache_mem 1024 MB

cache_store_log none

cache_peer rtcserver.com parent 9443 0 no-query originserver name=httpsAccel ssl login=PASSTHRU sslflags=DONT_VERIFY_PEER

cache_peer_access httpsAccel allow all

cachemgr_passwd disable all

coredump_dir /var/cache/squid

 http_access allow all

https_port 443 cert=/etc/ssl/server.pem accel key=/etc/ssl/privkey.pem vhost

refresh_pattern . 0 20% 4320

maximum_object_size 5120 MB

maximum_object_size_in_memory 16 MB

buffered_logs on

 

visible_hostname squidproxyserver.com

access_log /var/log/squid/access.log squid

 dns_nameservers ldap145.rtc.iot.ibm

hosts_file /etc/hosts


visible_hostname is set to localhost in your configuration, can you try by giving actual hostname.

If you are using WAS and non 9443 port for RTC server,  check link -  https://www-01.ibm.com/support/docview.wss?rs=3488&uid=swg21405179&cm_mc_uid=80353386661415096039333&cm_mc_sid_50200000=13646271529646197502



Gaurav verma selected this answer as the correct answer

Comments
Gaurav verma commented Jun 22 '18, 3:53 a.m.

 Hi Kamal 

@Kamal,

Thank you very much for the quick answer, few more details about my set up.
The Squid proxy server is actually a machine which is outside the network in which CLM is running (its basically at supplier site), they want all the clients from supplier site to connect with proxy server rather then real RTC server. Therefore they have only allowed this proxy server to talk to RTC server via Natted IP address (80.231.143.40) with port 443. As a result the URL to connect with RTC is changed and its like https://80.231.143.40/ccm. Also then I had to put this Natted IP 80.231.143.40 as PEER in Squid.conf file.

I have changed the value in Visible_host from LOCALHOST to real host name of proxy server. But still not able to connect.

Could you please advice if Squid proxy software can work as reverse proxy in this case?

I more thing my Squid server is Windows 2012 server OS not linux. So could you please advice if anything specif needs to be changed in the script.

One other answer



permanent link
Kamal Kumar (16) | answered Jun 22 '18, 5:01 a.m.
JAZZ DEVELOPER

When you say "they want all the clients from supplier site to connect with proxy server rather then real RTC server" you mean Squid proxy server right?
https://jazz.net/wiki/bin/view/Deployment/SquidProxyJazzSCMWindows details how to configure for Windows.
Are you able to open RTC URL https://80.231.143.40:443/ccm via browser from the machine where Squid is installed?
If you can reach from the Squid server machine, you should be able to reach RTC server via Squid as reverse proxy as well.
If you can't reach via browser, you should get this solved first.


Comments
Gaurav verma commented Jun 25 '18, 4:33 a.m.

  @Kamal , thanks for the update. Below are my answers to you queries.


Yes, all client machines from supplier end needs to connect with Squid proxy server for all their RTC SCM operations.

I exactly followed the note which you have shared but still no success, it throws the same error.

As I said earlier that in this setup the URL for accessing RTC on Web is a natted IP URL hence all the clients are able to access via URL https://80.231.143.40/ccm. Also they are using the same URL to connect their RTC eclipse client which they are able to do successfully. 

But when I configured the Squid proxy to be used as reverse proxy by making this Natted IP 80.231.143.40 as peer then it not getting connected.

Port 443 is the only port which is opened for communication between suppliers and real RTC server and that too via 2 firewalls. So I am not sure how (where) to use this port in (.conf) file.

Please let me know if Squid as reverse proxy can work in this type of setup?

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.