Klavs Klavsen wrote:
> Now I only have to open up so that it allows everybody to all domains on
> port 80..
Normally the job of http_access. In pure reverse proxies there is also a
couple of other options but http_access for access controls is
recommended.
Note: be careful to not open up the proxy as a proxy to the whole world.
There are two issues at play here
a) The request must be allowed by http_access
b) Squid must be able to find a forwarding path where to forward the
request
> and btw. do any of you have an example setup with rproxy.. preferably with
> multiple domains.. so that I could see what you have found it necessary to
> setup..
Here is a somewhat complex rproxy example with two accelerated servers,
each carrying two different domains each, plus paranoid access controls.
# Accept requests on port 80
http_port your.official.ip.address:80 vhost defaultsite=your.main.site
# cache_peer is used for request routing. NEVER try going directly on
our own...
never_direct allow all
# Some handy access control definitions
acl HTTP protocol HTTP
acl port80 port 80
# server 1
acl domains_backend1 dstdomain your.main.site another.site
cache_peer backend1 80 0 no-query originserver
cache_peer_access allow backend1 domains_backend1
http_access allow HTTP port80 domains_backend1
# server 2
acl domains_backend2 dstdomain www3.example.com www4.example.com
cache_peer backend2 80 0 no-query originserver
cache_peer_access allow backend2 domains_backend2
http_access allow HTTP port80 domains_backend2
# Deny everything else
http_access deny all
> afterall squid is pretty complex in its variety of options.. and I would
> like to avoid making it a HUGE security hole in it's setup..
Squid has a wide range of options indeed. Also Squid's biggest strength
as it allows it to be configured for a wide range of
configurations/uses.
Regards
Henrik Nordström
Squid Hacker
Received on Mon Oct 22 2001 - 06:47:04 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:02 MST