Re: [squid-users] reverse proxy headache

From: Amos Jeffries <squid3@dont-contact.us>
Date: Wed, 23 Jan 2008 15:47:30 +1300 (NZDT)

> Hi there,
>
> I've succesfully configured squid as reverse proxy, and it's been
> running fine for 2 months now.
> I even got it to sort diferent urls to different servers according to
> dstdomain and url-regexp rules.
> Now, I just added a new domain to proxy and the answer I get is this:
>
> ERROR
> The requested URL could not be retrieved
>
> While trying to retrieve the URL: http://www.laaficion.com/
>
> The following error was encountered:
>
> * Unable to forward this request at this time.
>
> This request could not be forwarded to the origin server or to any
> parent caches. The most likely cause for this error is that:
>
> * The cache administrator does not allow this cache to make direct
> connections to origin servers, and
> * All configured parent caches are currently unreachable.
>
> The configuration is a bit odd, since I'm running some apache and IIS
> servers on different machines on port 80, and also an apache server on
> the same machine on port 81. The problem I'm getting is with one of
> these domains in port 81, however I had succesfully proxied a
> different domain on port 81 before (ACL RIOS)
>
> My squid.conf is this:
>
> http_port 80 vhost
> hierarchy_stoplist cgi-bin
> acl QUERY urlpath_regex cgi-bin
> no_cache deny QUERY
> acl KEEPALIVE url_regex keepalive.htm
> no_cache deny KEEPALIVE
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow localhost
> http_reply_access allow all
> icp_access allow all
> coredump_dir /var/spool/squid
>
> #log in apache format
> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid/access-combi.log combined
>
> cache_peer 192.168.1.172 parent 80 0 no-query originserver
> acl WPUsers url_regex www.milenio.com/wp-login
> www.milenio.com/wp-admin www.milenio.com/servicios
> cache_peer_access 192.168.1.172 allow WPUsers
> cache_peer_access 192.168.1.172 deny all
>
> cache_peer 192.168.1.142 parent 81 0 no-query originserver
> acl NEWMILsites url_regex www.milenio.com/anuario
>
> cache_peer 192.168.1.171 parent 80 0 no-query originserver
> acl IISsites dstdomain www.milenio.com vip74.205.91.141
> cache_peer_access 192.168.1.171 allow IISsites
> cache_peer_access 192.168.1.171 deny all
>
> acl RIOS dstdomain .riosdetinta.com .riosdetinta.com.mx RIOS
> acl AFICION dstdomain .laaficion.com
> cache_peer_access 192.168.1.142 allow NEWMILsites RIOS AFICION
> cache_peer_access 192.168.1.142 deny all
>
> http_access allow WPUsers
> http_access allow RIOS
> http_access allow AFICION
> http_access allow NEWMILsites
> http_access allow IISsites
> http_access deny all
>
> cache_mem 1 GB
> max_filedesc 16384
> maximum_object_size 8192 KB
> cache_dir ufs /var/spool/squid 1024 64 256
> collapsed_forwarding on
>
>
> The new domain and corresponding ACL is: .laaficion.com and ACL AFICION
>
> I'd appreciate any pointers to what's wrong with this config.

The allow line you have requries that the request be to two domains at
once. One of the RIOS ones AND an AFICION one simultaneously.
  cache_peer_access 192.168.1.142 allow NEWMILsites RIOS AFICION

Try this instead:
  cache_peer_access 192.168.1.142 allow RIOS NEWMILsites
  cache_peer_access 192.168.1.142 allow AFICION NEWMILsites
  cache_peer_access 192.168.1.142 deny all

Also, you don't really want 'RIOS' at the end of the RIOS ACL do you?

NP: I place the regex tests _after_ the dstdomain so the dstdomain failure
cause the regex not to load the server down.

Amos
Received on Tue Jan 22 2008 - 19:47:33 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST