Joaquín Puga wrote:
> Hi there.
>
> Currently we are running squid 2.5.STABLE3 under RHEL3. However, this
> week our ssl certificate will expire and the new certificate is a
> chained certificate, which is not supported by that version of squid.
> Also it is an old server in need of an upgrade, so we are trying to
> configure squid 2.6.STABLE21 (running under RHEL 5.3) as a reverse
> proxy, but after reading the documentation, the FAQ and many emails
> from the email lists we still can't figure out what we are doing
> wrong.
>
> - We have 4 web sites with public IPs x.y.z.47, x.y.z.48, x.y.z.49 and
> x.y.z.50.
> Each web site is hosted on a different server with Ips x.y.z.247,
> x.y.z.248, x.y.z.249 and x.y.z.250 (x.y.z.47 goes to x.y.z.247, etc)
> Our DNS server runs on the same box as squid.
>
> - x.y.z.48 is using ssl connections.
>
> - With the current configuration www.mywebsite.ca and
> www1.mywebsite.ca work, but when trying to go to the other websites we
> get to www.mywebsite.ca instead.
>
> If we remove the # from the cache_peer_domain lines then the only
> website accessible is www1.mywebsite.ca. The other websites time out
> and we get this error message:
>
> ERROR
> The requested URL could not be retrieved
>
> While trying to retrieve the URL: http://www.mywebsite.ca/
>
> The following error was encountered:
>
> * Unable to forward this request at this time.
>
> This request could not be forwarded to the origin server or to any
> parent caches. The most likely cause for this error is that:
>
> * The cache administrator does not allow this cache to make direct
> connections to origin servers, and
> * All configured parent caches are currently unreachable.
>
> Your cache administrator is root.
> Generated Tue, 19 May 2009 17:16:35 GMT by www1.mywebsite.ca
> (squid/2.6.STABLE21)
>
> - It's our understanding that squid uses /etc/squid/hosts to have the
> hostnames redefined and to get traffic to the backend servers.
Hostnames, yes. But not cache_peer names.
> So if
> the client requests www.mywebsite.ca, with dns record is x.y.z.47,
> squid uses the hosts file to resolve www.mywebsite to x.y.z.247. Is
> this correct?
>
If you have an entry like...
cache_peer www.mywebsite parent 80 0 no-query originserver
...then yes, the host file would be used. But you are using the IP in
your cache_peer lines. There is nothing to resolve.
> - We also want to avoid people connecting to the websites using any
> Ips (either x.y.z.47, .48, etc or x.y.z.247, .248, etc)
>
Then firewall off the origin servers so they can't be accessed directly,
and set up ACLs that prevent using IP addresses in the URL.
>
> Below you can find the configuration files. Please let me know if you
> need more information. I'd really appreciate if you could point me in
> the right direction.
>
> #Squid.conf [version 2.5.STABLE3]:
> #-----------------------------------------------------
> http_port 80
> https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem
> key=/etc/squid/certs/ww1key.pem version=1
> icp_port 0
> cache_dir null /tmp
> acl all_no_cache src 0/0
> no_cache deny all_no_cache
> #Path to the host file hosts_file /etc/squid/hosts
> httpd_accel_host virtual
> httpd_accel_uses_host_header on
> visible_hostname www1.mywebsite.ca
> acl all src 0.0.0.0/0.0.0.0
> acl mynet src x.y.z.0/255.255.255.0
> http_access allow all
> http_access allow mynet
> http_access deny all
>
>
> #squid.conf version 2.6.STABLE21
> #-------------------------------------------------
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> acl mynet src x.y.z.0/255.255.255.0
> http_access allow all
> http_access allow mynet
> http_access allow localhost
> http_access deny all
> icp_access allow all
>
> http_port 80 accel vhost
> https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem
> key=/etc/squid/certs/ww1key.pem version=1 accel vhost
>
> cache_peer x.y.z.247 parent 80 0 no-query no-digest originserver
> name=www_mywebsite
>
You should probably add "forceddomain=www.mywebsite.ca".
> cache_peer x.y.z.248 parent 80 0 no-query no-digest originserver
> name=www1_mywebsite
>
Same for the other cache_peers. Define the forceddomain.
> cache_peer x.y.z.249 parent 80 0 no-query no-digest originserver
> name=www_mywebsiteusa
> cache_peer x.y.z.250 parent 80 0 no-query no-digest originserver name=webmail
>
> #cache_peer_domain www_mywebsite www.mywebsite.ca
> #cache_peer_domain www1_mywebsite www1.mywebsite.ca
> #cache_peer_domain www_mywebsiteusa www.mywebsiteusa.com
> #cache_peer_domain webmail web.mywebsite.ca
>
Since you have a separate front end IP per back end server...
acl www_mywebsite_ip myip x.y.z.47
acl www1_mywebsite_ip myip x.y.z.48
acl www_mywebsiteusa_ip myip x.y.z.49
acl webmail_ip myip x.y.z.50
cache_peer_access allow www_mywebsite www_mywebsite_ip
cache_peer_access deny www_mywebsite
cache_peer_access allow www1_mywebsite www1_mywebsite_ip
cache_peer_access deny www1_mywebsite
cache_peer_access allow www_mywebsiteusa www_mywebsiteusa_ip
cache_peer_access deny www_mywebsiteusa
cache_peer_access allow webmail webmail_ip
cache_peer_access deny webmail
> #acl acl_www_mywebsite dstdomain www.mywebsite.ca
> #acl acl_www1_mywebsite dstdomain www1.mywebsite.ca
> #acl acl_www_mywebsiteusa dstdomain www.mywebsiteusa.com
> #acl acl_webmail dstdomain webmail.mywebsite.ca
>
> hierarchy_stoplist cgi-bin ?
> cache_dir null /tmp
> access_log /var/log/squid/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
>
Dump these two lines, and add the following refresh_pattern instead...
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
>
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> visible_hostname www1.mywebsite.ca
> hosts_file /etc/squid/hosts
> coredump_dir /var/spool/squid
>
The hosts file is superfluous, and might be hindering your setup from
working.
> #/etc/squid/hosts
> -----------------------------------------------------------
> x.y.z.247 www.mywebsite.ca
> x.y.z.248 www1.mywebsite.ca
> x.y.z.249 www.mywebsiteusa.com
> x.y.x.250 webmail.mywebsite.ca
>
> Thanks a lot.
>
> Joaquin Puga.
>
Chris
Received on Tue May 19 2009 - 22:23:22 MDT
This archive was generated by hypermail 2.2.0 : Wed May 20 2009 - 12:00:02 MDT