Re: [squid-users] SQUID Reverse Proxy not forwarding requests to Apache web server

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 03 Jan 2012 04:16:15 +1300

On 2/01/2012 1:52 p.m., Roman Gelfand wrote:
> My squid server 3.1.6 sits in dmz. On this server, I am running
> apache server 2.2.9. My goal is to a) cash owa responses b) forward
> https owa requests to the Apache server on port 8443 c) The Apache
> server forwards the request to internal exchange server.

Why bother with relaying it through Apache? Squid does the job of being
a proxy better than Apache web server can. Particularly since you
already have the traffic going through a Squid.

>
> Below, is my squid reverse proxy configuration. The domain
> webmail.mydomain.com resolves to the of external interface of the
> exchange server. However, I am saying, in configuration, that
> cache_peer is localhost. Nevertheless, the https request is never
> forwarded to apache server. Rather, it is going directly to the
> external interface of the exchange server.
>
> Where am I going wrong here?

You have not provided any info about what the client traffic is actually
requesting and what the Apache server is responding with when squid
tries to pass the requests there.

You are missing the cache_peer_access rules to limit what traffic goes
through Apache. So everything will be attempted.

You are missing never_direct rules denying Squid direct contact with the
requested domain server.

>
> hierarchy_stoplist cgi-bin
> acl QUERY urlpath_regex cgi-bin
> shutdown_lifetime 1 second
> visible_hostname webmail.mydomain.com
>
> #1GB disk cache
> cache_dir ufs /usr/local/squid/var/cache 1024 16 256
>
> maximum_object_size 5 MB
> cache_mem 1024 MB
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size_in_memory 512 KB
>
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap LFUDA
>
> https_port 443 cert=/etc/apache2/certs/pkey.pem
> key=/etc/apache2/certs/sitecert.key vhost vport
> cache_peer 127.0.0.1 parent 8443 0 ssl no-query originserver
> sslflags=DONT_VERIFY_PEER front-end-https login=PASS
>
> Thanks in advance
Received on Mon Jan 02 2012 - 15:16:21 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 02 2012 - 12:00:02 MST