Re: [squid-users] reverse proxy headache

> Thanks a lot, it worked!
> I had reviewed the ACL syntax and saw that it only accepts one
> parameter after the acl type, however it didn't occur to me that that
> was the same case with the cache_peer access directive.
> The reason to have the regex at the beggining is for it to catch a url
> before the dstdomain catch-all does it below (its being sent to a
> different server)

Ah, the catch is only done if the entire _access line matches.

... allow RIOS (AND) NEWMILsites

On allow:
 If one matches, it will always check the other contidiont.
 If one fails, it will never completely match and stops.

The acl definition line is the OR part. All are checked and if ANY match
the whole thing is true.

This is the same for all acl... and *_access... lines.

>
> Thanks again, regards,
> Raymond Hall
>
>
> PS. Have you tried Varnish? Their site claims its optimized for
> reverse proxying, but I didn't find in the dox the subtle
> configuration possibilities that squid allows.

Hehe, I've been reading a lot of blogs recently saying 'varnish does
everything'.

Hell no. *Squid* does nearly-everything. Varnish does a
few-things-very-fast. As you found in their dox.

Amos

>
> On Jan 22, 2008 8:47 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>>
>> > Hi there,
>> >
>> > I've succesfully configured squid as reverse proxy, and it's been
>> > running fine for 2 months now.
>> > I even got it to sort diferent urls to different servers according to
>> > dstdomain and url-regexp rules.
>> > Now, I just added a new domain to proxy and the answer I get is this:
>> >
>> > ERROR
>> > The requested URL could not be retrieved
>> >
>> > While trying to retrieve the URL: http://www.laaficion.com/
>> >
>> > The following error was encountered:
>> >
>> > * Unable to forward this request at this time.
>> >
>> > This request could not be forwarded to the origin server or to any
>> > parent caches. The most likely cause for this error is that:
>> >
>> > * The cache administrator does not allow this cache to make direct
>> > connections to origin servers, and
>> > * All configured parent caches are currently unreachable.
>> >
>> > The configuration is a bit odd, since I'm running some apache and IIS
>> > servers on different machines on port 80, and also an apache server on
>> > the same machine on port 81. The problem I'm getting is with one of
>> > these domains in port 81, however I had succesfully proxied a
>> > different domain on port 81 before (ACL RIOS)
>> >
>> > My squid.conf is this:
>> >
>> > http_port 80 vhost
>> > hierarchy_stoplist cgi-bin
>> > acl QUERY urlpath_regex cgi-bin
>> > no_cache deny QUERY
>> > acl KEEPALIVE url_regex keepalive.htm
>> > no_cache deny KEEPALIVE
>> > auth_param basic children 5
>> > auth_param basic realm Squid proxy-caching web server
>> > auth_param basic credentialsttl 2 hours
>> > auth_param basic casesensitive off
>> > acl all src 0.0.0.0/0.0.0.0
>> > acl manager proto cache_object
>> > acl localhost src 127.0.0.1/255.255.255.255
>> > acl to_localhost dst 127.0.0.0/8
>> > acl SSL_ports port 443 563
>> > acl Safe_ports port 80 # http
>> > http_access allow manager localhost
>> > http_access deny manager
>> > http_access deny !Safe_ports
>> > http_access allow localhost
>> > http_reply_access allow all
>> > icp_access allow all
>> > coredump_dir /var/spool/squid
>> >
>> > #log in apache format
>> > logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
>> > "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
>> > access_log /var/log/squid/access-combi.log combined
>> >
>> > cache_peer 192.168.1.172 parent 80 0 no-query originserver
>> > acl WPUsers url_regex www.milenio.com/wp-login
>> > www.milenio.com/wp-admin www.milenio.com/servicios
>> > cache_peer_access 192.168.1.172 allow WPUsers
>> > cache_peer_access 192.168.1.172 deny all
>> >
>> > cache_peer 192.168.1.142 parent 81 0 no-query originserver
>> > acl NEWMILsites url_regex www.milenio.com/anuario
>> >
>> > cache_peer 192.168.1.171 parent 80 0 no-query originserver
>> > acl IISsites dstdomain www.milenio.com vip74.205.91.141
>> > cache_peer_access 192.168.1.171 allow IISsites
>> > cache_peer_access 192.168.1.171 deny all
>> >
>> > acl RIOS dstdomain .riosdetinta.com .riosdetinta.com.mx RIOS
>> > acl AFICION dstdomain .laaficion.com
>> > cache_peer_access 192.168.1.142 allow NEWMILsites RIOS AFICION
>> > cache_peer_access 192.168.1.142 deny all
>> >
>> > http_access allow WPUsers
>> > http_access allow RIOS
>> > http_access allow AFICION
>> > http_access allow NEWMILsites
>> > http_access allow IISsites
>> > http_access deny all
>> >
>> > cache_mem 1 GB
>> > max_filedesc 16384
>> > maximum_object_size 8192 KB
>> > cache_dir ufs /var/spool/squid 1024 64 256
>> > collapsed_forwarding on
>> >
>> >
>> > The new domain and corresponding ACL is: .laaficion.com and ACL
>> AFICION
>> >
>> > I'd appreciate any pointers to what's wrong with this config.
>>
>> The allow line you have requries that the request be to two domains at
>> once. One of the RIOS ones AND an AFICION one simultaneously.
>> cache_peer_access 192.168.1.142 allow NEWMILsites RIOS AFICION
>>
>> Try this instead:
>> cache_peer_access 192.168.1.142 allow RIOS NEWMILsites
>> cache_peer_access 192.168.1.142 allow AFICION NEWMILsites
>> cache_peer_access 192.168.1.142 deny all
>>
>> Also, you don't really want 'RIOS' at the end of the RIOS ACL do you?
>>
>> NP: I place the regex tests _after_ the dstdomain so the dstdomain
>> failure
>> cause the regex not to load the server down.
>>
>> Amos
>>
>>
>>
>
>
>
> --
> I'd rather have an inch of a dog than miles of pedigree.
>
> Dana Burnet
>
Received on Wed Jan 23 2008 - 14:34:31 MST