Re: [SQU] accelerator with name-based virtual host

Steven Haryanto wrote:
>
> When squid accelerator is configured not in vhost_mode nor
> vport_mode:
>
> httpd_accel_host 127.0.0.1
> httpd_accel_port 80
>
> but with:
>
> httpd_accel_uses_host_header on
>
> Shouldn't squid still connect to the real server specified
> in httpd_accel_host (127.0.0.1) and not to the host which
> is specified by the Host: header in the incoming request?

Yes, if using squid-2.4 and configured with
 httpd_accel_single_host on

For earlier Squids no. There the Host header always overrides
httpd_accel_host.

My recommended accelerator setup for almost all cases is to

* Add your accelerated domains to /etc/hosts with the IP address of the
real server.
* Verify with telnet/lynx/whatever that you from the accelerator server
can reach the real servers using the official domain names for the
service (i.e. your external domain names, not internal ones)
* Build squid with --disable-internal-dns
* Make sure your real server listens on port 80, but some other IP than
where Squid is listening (another machine classifies as another IP, or
another IP interface such as loopback.. same thing different hardware).
* Set up Squid to only listen on the IP's it should listen to (see
http_port directive, it can be used to specify IP as well as port
number)
* Configure squid.conf as
  httpd_accel_port official.ip.address:80
  httpd_accel_uses_host_header on
  httpd_accel_host your.main.domain
  httpd_accel_with_proxy on
  acl myservers dst ip.of.backend.server
  acl http port 80
  http_access allow 80 myservers
  http_access deny all

This setup is
a) Relatively simple and straight forward to setup.
b) Extremely flexible. Can manage any mix of backend servers/domain,
from a single server with a single domain, to many servers with many
domains, all in the same simple manner.
c) Easy to fault-diagnose accelerator problems. By using a browser on
the accelerator machine you will see what whould be seen without the
accelerator.
d) No Host header related problems. The same domain name is used all
thru the acceleration process, with no risk of confusion on the way.

Note 1: no redirector helper required. Your /etc/hosts is the
redirector.

Note 2: The httpd_accel_with_proxy directive is enabled to
a) make it easy to test the access controls by simply configuring your
web browser to use the accelerator as a proxy.
b) compliance with HTTP/1.1 where all servers are required to be able to
process requests using a full URL. Without this directive, squid will
reject such requests as invalid..
c) If httpd_accel_uses_host_header then the same security issues are
there anyway. A accelerator configured with httpd_accel_uses_host_header
can be tweaked into be used as a proxy even if httpd_accel_with_proxy is
not enabled, the details is only slightly more obscure..

--
Henrik Nordstrom
Squid hacker
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html