Re: [squid-users] reverse proxy from Darryl L. Miles on 2005-08-16 (squid-users)

From: Darryl L. Miles <darryl@dont-contact.us>
Date: Tue, 16 Aug 2005 08:00:25 +0100

John Rooney wrote:

>Apologies for this, if it's a common question. I *have* looked in the
>FAQ but haven't managed to resolve my problem.
>
>I'm looking to reverse host a number of sites on different servers
>through a singe exposed IP address. I've populated the local hosts file
>(Squid 2.5 for NT)
>And Squid itself is firing up. No matter what I put in the acl lists, I
>keep getting a url could not be retrieved error. I'll qualify that by
>saying I haven't yet put the correct config in the acl lists ;-). In the
>interests of getting somewhere, I have supplied the acl portion (without
>the majority of the commenting) to see if there is anything obvious.
>
>I haven't used the http_accelerator options, should I? To me, the proxy
>should function from both sides equally well, as It's only resolving
>requests that will match entries in the hosts file.
>
>

Reverse host ?

If you are wanting to ensure your client browsers (acl our_networks ...)
have access to the internet-at-large through squid then this is a
classic (forward) proxy.

If you are wanting to front-end high traffic volume website(s) with one
or more squid cache accelerators to allow the internet-at-large to
access your high traffic site(s) then this is a reverse proxy.

Your ACLs look ok for classic forward proxy usage. Although you can
remove the references to "our_networks" from http_access as the
"int_net" does the same thing. I don't think your http_client_access
usage is doing anything useful at all as by default is looks like is
allows all anyway. You may want to move "int_net" down a few lines until
its under "INSERT YOUR OWN RULE(S) HERE".

As for host file usage. Are you sure squid on NT can work like this.
Usually you have to have a working proper DNS to make squid work
effectivly, this is usually indicated in the "cache.log" log file and
any fatal errors maybe indicated here as to why its not working for you.

If you wish to censor the hosts that browser clients can access through
the proxy I suggest you revise:

http_access allow int_net

to:

acl good_urlhosts dst <...whatever IPs are in your HOSTs file with a
space inbetween each...>
http_access allow int_net good_urlhosts

-- 
Darryl L. Miles

Received on Tue Aug 16 2005 - 01:00:44 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:02 MDT