Re: [squid-users] squid config help required

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 29 Apr 2011 18:33:33 +1200

On 29/04/11 17:22, Colin Coe wrote:
> Hi all
>
> I'm having trouble getting squid to do what I need.
>
> I'm in a test network within a corporate environment.
>
> What I want is this:
> 1) squid needs to use the corporate proxy for Internet stuff
> 2) squid should cache
> 3) squid should reverse proxy several servers (but for now only one
> actually exists) both http and https
> 4) anything destined for 10.1.102.0/24 needs to not be sent to the
> corporate proxy.
> 5) only the WSUS server is allowed to talk to *.windowsupdate.com
>
> What I get is:
> 1) Reverse proxying seems to work except that any attempts to browse a
> remote site (ie www.microsoft.com) on the host being proxied results
> in being redirected to itself.
> 2) Normal proxying seems to work (note the exception above)
>
> My config file is
> ---
> # Should be obvious
> http_port 3128
> cache_dir ufs /var/spool/squid 6444 16 256
> cache_access_log /var/log/squid/access.log

NP: the directive is now just called "access_log"

>
> ################################################################################
> # Local traffic, is y'know, local
>
> acl acl_whitelist dstdomain .dev.company.com
> acl acl_virthost dst 10.1.102.8/29
> acl http proto http
> acl vdsm port 54321
> acl port_80 port 80
> acl port_443 port 443
> acl CONNECT method CONNECT
>
> http_access allow vdsm acl_virthost
> http_access allow http port_80 acl_whitelist
> http_access allow CONNECT port_443 acl_whitelist

You are missing the default security blanket rules...
   http_access deny !Safe_ports
   http_access deny CONNECT !SSL_Ports

These prevent internal clients or external attacks from getting
malicious HTTP requests past your local config settings (for example the
generic "allow acl_intranet").
  "malicious" requests are not always intentional, the internal client
ones commonly come from things as simple as embeded URLs in web adverts.

>
> ################################################################################
> # Reverse proxy settings

NP: this reverse-proxy section should be above the local traffic
section. The http_access rules here must be first in the entire list of
http_access.

>
> #https_port rhevm.dev.company.com:443 accel
> defaultsite=https://virtman.dev.company.com vhost
> http_port rhevm.dev.company.com:80 accel
> defaultsite=http://virtman.dev.company.com vhost

defaultsite= is the FQDN, not a full URL. The http:// part is assumed
from the "http_" directive name.
  There is an additional protocol= option if the scheme needs to be
something weird (very, very rarely needed).

>
> # RHEV Manager
> cache_peer 10.1.102.34 parent 80 0 no-query originserver name=rhevman
> #cache_peer 10.1.102.34 parent 443 0 no-query originserver ssl name=rhevuser
>
> acl acl_rhevm dstdomain virtman.dev.company.com
> acl acl_srcrhevm srcdomain virtman.dev.company.com
> http_access allow acl_rhevm !acl_srcrhevm

The server itself asking the proxy for its own domain things?

This should not matter. You want to avoid DNS lag anyway:
   acl acl_srcrhevm src 10.1.102.34

With a cache_peer IP like that, Squid does not use DNS to connect to the
internal peer so the internal DNS view can be set to the internal server
IP if you want to avoid the internal traffic going via Squid IP.

>
> cache_peer_access rhevman allow acl_rhevm
> cache_peer_access rhevman deny all
> always_direct allow acl_rhevm

Remove the always_direct. It prevents the cache_peer being used and is
likely the cause of your problem.

NOTE: I see you have commented out some HTTPS reverse-proxy bits.
  You will be interested in squid-3.1.12 with fixes for HTTPS to
internal reverse-proxy peers.

>
> ################################################################################
> # Only the WSUS box can go to the windows update site
> acl acl_windowsupdate dstdomain .windowsupdate.com
> acl acl_wsus srcdomain wsus.dev.company.com
> http_access deny !acl_wsus acl_windowsupdate

Your use of srcdomain requires rDNS systems to be working. Is the WSUS
on a dynamic IP?
  Either use the WSUS IP in a "src" ACL or switch the order of those two
ACL names on that line for faster overall processing.

  If you retain the srcdomain, ensure that the rDNS results have long
TTL. It is delaying one client request every rDNS TTL cycle.

Also, there are a number of other WU domains you may want to add to that
list:
   http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

>
> ################################################################################
> # Normal proxy settings
> acl acl_intranet src 10.1.102.0/24
> http_access allow acl_intranet
>
> ################################################################################
> # Catch all
> http_access deny all
>
> cache_peer proxy.company.com parent 8200 7 no-query
> # Never go direct to the internet (use the BlueCoat)
> never_direct allow all

These two sections look fine.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Fri Apr 29 2011 - 06:33:40 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 29 2011 - 12:00:05 MDT