FW: [squid-users] reverse proxy

Thanks for your comments Darryl,

Yes, the acls that are there are because I was looking to test on the
local network. Sounds crazy, but by forcing the client browser to use
the squid box, I hoped to see if the proxy would work correctly. Which
it didn't due to the url unavailable error.

Under normal conditions, the firewall will forward all http traffic to
squid and that will reverse proxy to the other web hosts on the network.
I don't see it as http acceleration, but it would appear that is how the
squid community refer to it. Essentially it is host redirection that I
want but I want it with proxying as well.

Ahhh logs!

I suppose I really should have said "I'm new to this beast" Sorry for
the omission. I figured because I could ping the server by fqdn squid
would work, but I'll try dns as well.

As far as the acl was concerned, it is loose, but I figured I'd tighten
it once it was working.

Thanks
John

-----Original Message-----
From: Darryl L. Miles [mailto:darryl@netbauds.net]
Sent: Tuesday, 16 August 2005 7:00 p.m.
To: John Rooney
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] reverse proxy

John Rooney wrote:

>Apologies for this, if it's a common question. I *have* looked in the
>FAQ but haven't managed to resolve my problem.
>
>I'm looking to reverse host a number of sites on different servers
>through a singe exposed IP address. I've populated the local hosts file
>(Squid 2.5 for NT)
>And Squid itself is firing up. No matter what I put in the acl lists, I
>keep getting a url could not be retrieved error. I'll qualify that by
>saying I haven't yet put the correct config in the acl lists ;-). In
the
>interests of getting somewhere, I have supplied the acl portion
(without
>the majority of the commenting) to see if there is anything obvious.
>
>I haven't used the http_accelerator options, should I? To me, the proxy
>should function from both sides equally well, as It's only resolving
>requests that will match entries in the hosts file.
>
>

Reverse host ?

If you are wanting to ensure your client browsers (acl our_networks ...)

have access to the internet-at-large through squid then this is a
classic (forward) proxy.

If you are wanting to front-end high traffic volume website(s) with one
or more squid cache accelerators to allow the internet-at-large to
access your high traffic site(s) then this is a reverse proxy.

Your ACLs look ok for classic forward proxy usage. Although you can
remove the references to "our_networks" from http_access as the
"int_net" does the same thing. I don't think your http_client_access
usage is doing anything useful at all as by default is looks like is
allows all anyway. You may want to move "int_net" down a few lines until

its under "INSERT YOUR OWN RULE(S) HERE".

As for host file usage. Are you sure squid on NT can work like this.
Usually you have to have a working proper DNS to make squid work
effectivly, this is usually indicated in the "cache.log" log file and
any fatal errors maybe indicated here as to why its not working for you.

If you wish to censor the hosts that browser clients can access through
the proxy I suggest you revise:

http_access allow int_net

to:

acl good_urlhosts dst <...whatever IPs are in your HOSTs file with a
space inbetween each...>
http_access allow int_net good_urlhosts

-- 
Darryl L. Miles