Re: [squid-users] SQUID3 configuration in accelerator mode (reverse proxy)  http and https

Le Lundi 17 Juillet 2006 00:05, vous avez écrit :
> sön 2006-07-16 klockan 21:24 +0200 skrev gwaa:
> > Hello List,
> > I try to setup with SQUID3:
> > HTTP[internet:80]<-->[80:NATfirewall:3128]-->[SQUID3:80]<->[80:multiples
> > web servers: IN LAN]
>
> ok.
>
> > HTTPS[internet:443]<-->[443:NATfirewall:10443]-->[SQUID3:443]<-->[443:mul
> >tiple web servers IN LAN]
>
> ok, kind of... running a SSL domain based virtual host requires the use
> of a wildcard certificate which most CA:s either won't give you or
> charge you a ridiculous sum for..
>
> > Just to try HTTP accelerator mode, i insert in
> > /usr/local/squid/etc/squid.conf
> >
> > http_access allow our_networks
> > http_access allow all
> > http_port 3128 accel vhost vport=80
>
> Should read
>
> http_port 80 vhost defaultside=your.main.site
> https_port 443 vhost defaultsite=your.main.site key=/path/to/ssl_key.pem
> cert=/path/to/ssl_cert.pem
>
> > acl http proto http
> > acl port3128 port 3128
>
> Why port 3128?
Because SQUID3 listen on 3128
>
> > acl domains_server1 dstdomain .domaine1.com .domain2.com
>
> ok.
>
> > cache_peer 192.168.2.2 parent 3128 0 no-query originserver
> > name=www-servers
>
> Kind of.. should be one per web server, or none.. and ports and options
> need to match what the server uses. 3128 does not look right..
>
> > cache_peer_access www-servers allow domains_server1
>
> Ok, except that it should consider if it's http or https...
>
> > http_access allow http port3128 domains_server1
>
> Ok, assuming the port3128 ACL gets redefined proper.
>
> > always_direct allow domains_server1
>
> Don't..
>
> Or if you do that, don't define any cache_peers. But the cache_peer
> based request forwarding is generally more flexible, especially if you
> want to add redundancy to some web servers etc.
>
> > But i always have this error:
> > While trying to retrieve the URL: http://www.domain1.com/
> > The following error was encountered:
> > Access Denied.
>
> Your current http_access rule is the culpit.. vport=80 makes the
> reconstructed URLs all use port 80, while your http_access rule looks
> for port 3128...
>
> Regards
> Henrik
Ok, I change my squid.conf, an now i have:

http_access allow our_networks
http_access allow all
http_port 3128 vhost vport=80 protocol=http defaultsite=www.domain1.com

acl http proto http
acl port80 port 80
acl domain2_com dstdomain .domain2.com
acl domain1_com dstdomain .domain1.com

cache_peer 192.169.2.2 parent 80 0 no-query originserver name=domain1
cache_peer_access domain1 allow domain1_com

cache_peer 192.168.2.32 parent 80 0 no-query originserver name=domain2
cache_peer_access domain2 allow domain2_com

http_access allow http port80 domain2_com domain1_com
always_direct allow domain2_com domain1_com port80

#misc config
cache_effective_user squid
cache_effective_group squid
dns_nameservers 192.168.2.2 192.168.2.4
visible_hostname dns.domain1.com
cache_mgr webmaster@domain1.com
mail_from webmaster@domain1.com

problem:
domain2 works well
domains1 not, i have this error: Timed out waiting for data
Note: All LAN servers listen on 80 and 443, and servers are IP-based Virtual
Hosts . The firewall fowards all http(s) requests to SQUID3.
another mistake?
thaks
Regards
Received on Sun Jul 16 2006 - 20:33:44 MDT