f010f_at_aol.com wrote:
> Hi all,
>
> I hope you guys can help me as I am still confuse on how squid
> configuration works.
>
> I hosted 3 domains in one server which IP addr is 10.0.0.80.
>
> Basically, I am trying to do reverse proxy and virtual host scenario:
>
> If people browse public.company.com
> then it goes to 10.0.0.80 port 80
>
> If people browse private.company.com
> then it goes to to 10.0.0.80 port 91
>
> If people browse www.company.com
> then it goes to 10.0.0.80 port 80
> except people from 192.168.1.0/24 which take them to 10.0.0.80 port 91
>
> I still can not do the scenario above. Can you guys help me with my
> squid.conf please where do I do wrong?
>
> Here is my squid.conf and I am using squid-3.1.0.13
>
> http_port 80 accel defaultsite=www.company.com vhost
>
> cache_peer 10.0.0.80 port 80 0 no-query originserver name=pubAccel
> cache_peer 10.0.0.80 port 91 0 no-query originserver name=prvAccel
>
> acl pub_sites dstdomain public.company.com
> acl prv_sites dstdomain private.company.com
> acl www_sites dstdomain www.company.com
>
> acl internal src 192.168.1.0/24
>
> http_access allow pub_sites
> http_access allow prv_sites
> http_access allow www_sites
>
> cache_peer_access pubAccel allow pub_sites
> cache_peer_access pubAccel deny all
>
> cache_peer_access prvAccel allow prv_sites
> cache_peer_access prvAccel deny all
>
You have already specified "deny all" for both prvAccel and pubAccel.
The following lines will never be tested.
> cache_peer_access pubAccel allow pub_sites
> cache_peer_access prvAccel allow internal
> cache_peer_access pubAccel deny all
For them to work they need to be placed above the respective "deny all"
lines and matching your access requirements.
For example:
# If people browse public.company.com ...
cache_peer_access pubAccel allow pub_sites !internal
# If people browse www.company.com ... except people from internal
cache_peer_access pubAccel allow www_sites !internal
# nobody else
cache_peer_access pubAccel deny all
# If people browse private.company.com ...
cache_peer_access prvAccel allow prv_sites
# If people browse www.company.com ... from internal
cache_peer_access pubAccel allow internal www_sites
# nobody else
cache_peer_access prvAccel deny all
One thing I would suggest: also preventing private.* to be accessed from
outside the company.
Which changes the first prvAccel rule to:
cache_peer_access prvAccel allow internal prv_sites
>
> # Below standard configuration from Squid 3.1.0.13
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_port 3128
For only a reverse proxy you do not need the standard configuration above.
Simply do:
http_access deny all
> hierarchy_stoplist cgi-bin ?
> coredump_dir /usr/local/squid/var/cache
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> # End squid.conf
>
> Thanks in advance for your help
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 Current Beta Squid 3.1.0.13Received on Tue Sep 15 2009 - 10:45:47 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 16 2009 - 12:00:03 MDT