Re: [squid-users] Squid and virtual hosts

From: Waitman C. Gobble, II <waitman@dont-contact.us>
Date: Tue, 6 Aug 2002 09:46:30 -0700

a) i really don't think it truly matters, but i would make the acl

acl allowed_hosts src XXX.XXX.0.0/16

for some reason i seem to recall using the netmask wasn't doing the job...
might just be a bad memory ;-)

i think i was incorrect about the http_accel port setting being used as a
"listen" port. after i read the documentation it seems to be a directive to
"fetch" content.

for instance, if you want to run a transparent proxy on port 80, and have a
web server on port 8000, you can force squid to grab the site content from
port 8000 using the http_accel_port option. it looks like if you set
http_accel_port to 0 then this is a "virtual" setting (the browser specifies
which port to use).

however you obviously cannot have a transparent proxy on 80 and apache on 80
at the same time ;-)

----- Original Message -----
From: Richard Diaz
To: Waitman C. Gobble, II
Cc: squid-users@squid-cache.org
Sent: Tuesday, August 06, 2002 9:19 AM
Subject: Re: [squid-users] Squid and virtual hosts

Ah, it is not using the proxy. Because of a documented configuration issue
on the firewall, I had to add a rule that bypassed the proxy for the squid
host itself on the firewall. I forgot about this, and just figured that
_all_ traffic was going through the proxy.

I added: http_proxy:http://xxx.xxx.xxx.xxx:3128 to the /etc/lynx.cfg file.
It still brings up the page correctly.

We don't have user access control configured in squid.conf. We let the
firewall do that. We just have: acl allowed_hosts src
XXX.XXX.XXX.XXX/255.255.0.0

I did build squid from source and I don't believe that I have it installed
from RPM also (Linux newbie). I issued 'rpm -q squid' and got back a reply
that it is not installed. 'ps -auxww | grep squid' shows it running from
/usr/local/squid/bin/squid. './squid -v' in that dir comes back as
2.4.STABLE7.

I did try those very httpd_accel settings you mention. But I did not tell
my firewall to use port 80 for the proxy. I left it at 3128. I am running
Apache on this box listening on 80 already. Can I use something else, like
8080? I would imagine I could use anything as long as the firewall pointed
at httpd_accel_port and not http_port.

Again, thanks for all your help.

/rich

"Waitman C. Gobble, II" <waitman@emkdesign.com>
08/06/2002 11:42 AM
Please respond to "Waitman C. Gobble, II"

        To: "Richard Diaz" <rdiaz@nbframing.com>
        cc: <squid-users@squid-cache.org>
        Subject: Re: [squid-users] Squid and virtual hosts

hmmm, are you certain that lynx is using the proxy?

also, what sort of acl's do you have set up in squid.conf? do you have user
access control or simple ip or mac authorization?

now that i think about it more, perhaps you can set up squid to behave such
as if you were using it as a gateway to internally hosted web sites.

the example i am thinking about is having several servers on a private
intranet, and only exposing the squid machine to the outside world. dns
would point to the public ip, a site request would hit the squid cache and
you would have dns set up ... for internal use only so that squid could go
out and fetch the appropriate site from the appropriate machine.

questions

- it sounds like you built squid from source (i am not sure that there is
an rpm for STABLE7) - do any rpm installations exist? if so, are you certain
that STABLE7 is running and not the rpm version?

I had zero luck with a binary package, i uninstalled it and built from
source and everything magically worked swell. actually i didn't have any
luck with a redhat binary/rpm OR a mac os x binary distribution (i have a
client that likes macs). both systems - i had to build from source in order
to achieve success.

another thought, thinking about the example i mentioned above ---

perhaps you need to have the accelerator listening on port 80, and you need
to make sure that settings look like

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

maybe the redirect to port 3128 thingy is the problem? try redirecting to
port 80?

take care

waitman

----- Original Message -----
From: Richard Diaz
To: Waitman C. Gobble, II
Cc: squid-users@squid-cache.org
Sent: Tuesday, August 06, 2002 8:22 AM
Subject: Re: [squid-users] Squid and virtual hosts

oops! scratch that last comment. I fat-fingered it. It _does_ work from
the squid host using lynx. I guess I was just hoping there was a simple
solution :).

/rich

__________________

Currently, the port 80 traffic on the LAN is mapped to 3128 on the squid
cache. Yes, the firewall does this, and as far as I know, no browser is
aware of the proxy.

I read quite a few posts regarding HTTPD acceleration and setting these
options, such as: httpd_accel_host, httpd_accel_port, httpd_accel_with_proxy
and http_accel_uses_host. I didn't think it would work either, but i wanted
to try everything I could before I posted a message.

We use internal DNS servers that cache from our ISP's servers. All internal
clients are configured to use our servers via DHCP.

I would like to avoid 'touching' each desktop. I have several hundred users
in 10 different locations (including Buena Park, CA!). We also use our
firewall for authentication and logging. Piping everyone through the proxy
would break that.

I never even thought about trying from the squid machine, duh! I just tried
to access our virtual hosts from using lynx and received an :
Alert!: Unexpected network read error; connection aborted.
Can't Access `http://www.XXX.com/'
Alert!:Unable to access document.
I am able to access other websites using lynx from this machine. Maybe this
has something to do with it? Thanks for all your suggestions.

Sincerely,
Richard Diaz
Nielsen & Bainbridge
Senior Systems Administrator
Voice:201.368.9191
Fax:201.342.6084

"Waitman C. Gobble, II" <waitman@emkdesign.com>
08/06/2002 10:35 AM
Please respond to "Waitman C. Gobble, II"

       To: <squid-users@squid-cache.org>, <rdiaz@nbframing.com>
       cc:
       Subject: Re: [squid-users] Squid and virtual hosts

hello

if i understand correctly, you have squid running on port 80? or is the port
80 traffic on the LAN mapped to 3128 on the squid cache (default, otherwise
some other port) .... ?

so, no browser on your network is configured to use a proxy, the firewall
just bounces the traffic to the cache.

that is what it sounds like you are doing, please let me know if this is not
correct.

couple of comments -

a) what are you doing with the httpd_accel options? i don't believe these
will deliver a solution.
b) squid is completely compatible with host header virtual hosting - i
haven't seen any trouble. you can verify this by looking at your web server
logs.

a quick thing to check, if you don't want to tinker with other
settings/options first - however may not be prudent - : make sure that
either a) dns (port 53 tcp/udp) is available to the clients in the case of
an external name server, or b) the clients are in fact getting the name
resolutions from an internal machine. if you have your firewall set up to
bounce traffic and no proxy options on the browser, name resolution will
occur at the client not the server.

(you really should have an internal nameserver running to improve
performance)

HOWEVER what i suggest is at minimum blocking port 80 and 443 traffic from
your clients altogether, set up squid to listen on 3128 (default) or some
other port, and have each client configured to use your squid server as a
proxy by explicitly specifying the address and port in the browser settings.
make sure the squid machine can perform name lookups, and verify internal
lookups are correct. drop the bounce and redirect scheme...

of course if you have a ton of clients to configure then manually setting up
the clients could be a real pain, however my intuition tells me that you
won't have much luck using the firewall to solve the problem quick and
dirty. (perhaps some others can comment about this a bit and give some
better analysis/solution).

the only trouble you will likely have will be with software that doesn't
care about proxy settings (i have seen a lot of "live update" kinds of
things bomb out) and the windows "active" desktop (i haven't 100% verified
this but from what i have seen the windows desktop with internet content
doesn't give a care about your proxy settings (ie, they won't work if you
have port 80, etc blocked).

-- can you succesfully use the squid cache from the squid server itself? you
can make tests using lynx, wget etc.... if you don't have an x server /
window environment running.

hopefully some of this helps!!!

take care

waitman gobble
emk design
buena park, california
+1.7145222528
http://emkdesign.com

----- Original Message -----
From: <rdiaz@nbframing.com>
To: <squid-users@squid-cache.org>
Sent: Tuesday, August 06, 2002 6:58 AM
Subject: [squid-users] Squid and virtual hosts

> am new to using squid and have been trying to implement it at my
> company for the past few days. So far, it has been working great with
> only a few small bumps. The most significant of which is the apparent
> lack of support for virtual hosts.
>
> My configuration is as follows: Squid 2.4.STABLE7 running on RedHat
> 7.3. This machine sits on our local network behind a Watchguard
> firewall, on the trusted interface. I have the firewall configured to
> forward all HTTP requests to the squid proxy on the internal network.
> There is a rule in place on the firewall that allows the proxy to
> access the Internet. This appears to be working well.
>
> We also have a web server sitting on the optional/dmz interface of the
> firewall that hosts a few sites. The server has a single public IP
> address. It does not have a private IP address on the local network.
> It uses host headers to direct users to the correct site.
>
> Users outside of the firewall have no problem accessing any of the
> sites. Users inside the firewall cannot access any site. Their
> browser will eventually timeout.
>
> I have researched this topic for a few days, and cannot find a
> solution. I played around with the httpd_accel options to no avail.
> I would appreciate any insight you might have into this configuration.
>
> Thank you.
>
> Sincerely,
> RD
>
> P.S. I originally posted this to the newsgroup via DejaNews unaware of the
> mailing list. I apologize for the duplication.
>
Received on Tue Aug 06 2002 - 10:47:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:32 MST