RE: [squid-users] Reverse proxy setup with squid 2.6+

From: Amos Jeffries <squid3@dont-contact.us>
Date: Tue, 4 Mar 2008 10:09:45 +1300 (NZDT)

> I didn't have the cache_peer_access directive in my squid.conf. At this
> moment the cache_peer entries are as follows:
>
> cache_peer 10.x.x.11 parent 80 0 no-query originserver
> cache_peer_access 10.x.x.11 allow all
>
> I am still seeing the same issue of the connection going to the Virtual
> Host instead of to the origin server.

You still need an explicit redirection ACL to prevent DNS lookups.

acl hostedDomain dstdomain example.com
cache_peer_access 10.x.x.11 allow hostedDomain
never_direct deny hostedDomain

Amos

>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@treenet.co.nz]
> Sent: Saturday, March 01, 2008 4:36 AM
> To: Russ Gnann
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Reverse proxy setup with squid 2.6+
>
> Russ Gnann wrote:
>> We are currently looking up upgrade our squid servers from 2.5 to 2.6 or
>> higher. In our current configuration, we send requests to the origin
>> servers to a single IP address that points to a load balancer which is
>> associated with a pool of web servers. In 2.5, this is easy to do with
>> the httpd_accel_* directives, but in 2.6 I know that those directives
>> have been replaced by the http_port directive with accel, vhost, vport,
>> etc. options. I have supplied the squid.conf we are attempting to use
>> below with a build of 2.6. With this configuration, it appears that any
>> connection attempt that doesn't get a cache hit resolves the virtual
>> host, and makes an HTTP connection to that resolved public IP instead
>> sending the request to the internal 10.x.x.11 address.
>>
>> Is there a way under squid 2.6 and higher to force any request that
>> doesn't make a cache hit to a single backend IP address? The vhost
>> option is necessary with http_port since the Host: header must contain
>> the Virtual Host name as our web servers use that data to determine what
>> which site to serve.
>>
>
> You require a cache_peer directive and a cache_peer_access with ACLs.
> Those will direct cache-misses to the actual source you configure
> without doing the DNS lookups.
>
> Amos
>
>>
>> squid build:
>> # /opt/squid-2.6.16/sbin/squid -v
>> Squid Cache: Version 2.6.STABLE16
>> configure options: '--prefix=/opt/squid-2.6.16' '--enable-async-io'
>> '--enable-snmp' '--enable-removal-policies=heap' '--enable-referer-log'
>> '--enable-useragent-log'
>>
>> ----- squid.conf -----
>> acl snmppublic snmp_community local-squid-ro
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl local_network src 172.16.0.0/16 10.0.0.0/8
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> acl web_ports port 80
>> http_access allow web_ports
>> http_access allow manager localhost
>> http_access allow manager local_network
>> http_access deny manager
>> acl purge method PURGE
>> http_access allow purge localhost
>> http_access allow purge local_network
>> http_access deny purge
>> http_access allow all
>> icp_access allow all
>> http_port 80 accel defaultsite=10.x.x.11 vhost
>> cache_peer 10.x.x.11 parent 80 0 no-query originserver
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>> memory_replacement_policy heap LFUDA
>> cache_replacement_policy heap LFUDA
>> logformat CustomLog %>a %ui %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru
>> HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" "%{Cookie}>h"
>> %Ss:%Sh
>> access_log /opt/squid-2.6.16/var/logs/custom.log CustomLog
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>> cache_effective_user www
>> cache_effective_group www
>> visible_hostname squid.domain.com
>>
>>
>>
>> Regards,
>>
>> Russell
>
>
> --
> Please use Squid 2.6STABLE17+ or 3.0STABLE1+
> There are serious security advisories out on all earlier releases.
>
Received on Mon Mar 03 2008 - 14:09:50 MST

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:04 MDT