Re: [squid-users] Squid ReverseProxy with vhost vport - Problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 21 Jul 2011 11:57:09 +1200

 On Wed, 20 Jul 2011 16:34:28 +0200, tim.schmeling_at_bechtle.com wrote:
> Hi Squid-Users,
>
> i have a big problem and i hope that anyone can help me.
> I like to setup a squid reverse proxy with ip based virtual hosts in
> apache.
>
> Client -> Pound (10.1.24.145:80) -> Squid (10.1.24.145:3007) ->
> Apache
> (127.0.0.1:3007)
>
> Virtual hosts in apache works perfect, but the following error occurs
> when
> i try to connect over pound/squid:
>
> access.log from squid:
> 1311171399.324 157 10.1.24.145 TCP_MISS/503 4014 GET
> http://sub3007/ -
> DIRECT/127.0.0.1 text/html
>
> The cache.log says me:
> ...
> 2011/07/20 16:16:39.166| parseHttpRequest: req_hdr = {Host: sub3007
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0)
> Gecko/20100101
> Firefox/5.0
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Connection: keep-alive
> Cache-Control: max-age=0
> X-Forwarded-For: 10.1.24.81
> }
> 2011/07/20 16:16:39.166| parseHttpRequest: end = {
> ...
>
>
> The Squid tries to connect to 127.0.0.1:80 to apache, but this is
> wrong,
> it might be 127.0.0.1:3007 (the vport).
>
> Here is my squid.conf:
>
> http_port 10.1.24.145:3007 vhost vport
> http_port 10.1.24.145:3008 vhost vport

 First you want to add "accl" as the first option on those lines. This
 is not strictly required by the current popular releases, but will help
 with future upgrades to 3.1+ versions which do require it.

> ...
> here are some acl´s
> ...
> acl Safe_ports port 3000-3030
> http_access deny !Safe_ports
> http_access deny deniedrequest
> http_access allow internurl intraweb
> http_access allow adminurl intraweb
> http_access allow adminurl admin
> http_access allow extern
> http_access deny intraweb
> http_access deny admin
> http_access deny deniedbrowser
> http_access allow aha_my_test
> http_access deny all
> cache deny all
> httpd_suppress_version_string on
> always_direct allow all

 This is part of the problem. "always_direct" forces Squid to perform
 DNS resolution and make use of the IP/ports found.
 Use cache_peer instead, like so:

 cache_peer 127.0.0.1 parent 3007 0 originserver name=apache3007
 cache_peer 127.0.0.1 parent 3008 0 originserver name=apache3008

 acl port3007 myportname 10.1.24.145:3007
 acl port3008 myportname 10.1.24.145:3008

 cache_peer_access apache3007 allow port3007
 cache_peer_access apache3008 allow port3008

 Or you can avoid the whole double-port thing by using name-based
 virtual hosting in Apache. Pound is clearly passing the domain name
 through properly. Using cache_peer and avoiding always_direct will make
 Squid pass it through properly as well.

> max_open_disk_fds 8192
> coredump_dir /usr/local/squid/var/cache
>
>
> Can anyone help me?

 Every time we 'fix' this we get complaints from people wanting the
 opposite behaviour or suddenly getting breakage. We for now have this
 behaviour: Squid should obey Host: port when "vport" is given, and
 ignore it when vport is omitted (using http_port value if none is pulled
 in indirectly by vhost anyway), and override/replace it when "vport=N"
 is given.

 So your config tells Squid to use what Pound supplies (default 80). You
 can avoid that by either getting Pound to stop adding the unusual port
 to the header, or using vport=80 in squid.

 Amos
Received on Wed Jul 20 2011 - 23:57:13 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 22 2011 - 12:00:02 MDT