RE: [squid-users] Random image generator w/ reverse-proxy

Amos,

        I have a slightly older version of squid and it is setup as an
accelerator. Let me give you the layout.

Domain name: www.my-company.org
Domain IP: 204.public address
DMZ IP Addr: 172.220.201.135 (squid server)
Internal IP: 192.1.0.59 (Web Server)
SQUID: Loads with the -D for no DNS and the host file has an entry for
192.1.0.59 as www.my-company.org.

Here is a dump from my cache.log from the last restart of squid:
2008/02/18 16:32:29| Starting Squid Cache version 2.6.STABLE6 for
i686-redhat-linux-gnu...
2008/02/18 16:32:29| Process ID 23575
2008/02/18 16:32:29| With 1024 file descriptors available
2008/02/18 16:32:29| Using epoll for the IO loop
2008/02/18 16:32:29| DNS Socket created at 0.0.0.0, port 32938, FD 5
2008/02/18 16:32:29| Adding domain groupbenefits.org from
/etc/resolv.conf
2008/02/18 16:32:29| Adding nameserver 204.xxx.xxx.xxx from
/etc/resolv.conf
2008/02/18 16:32:29| Adding nameserver 204.xxx.xxx.xxx from
/etc/resolv.conf
2008/02/18 16:32:29| User-Agent logging is disabled.
2008/02/18 16:32:29| Referer logging is disabled.
2008/02/18 16:32:29| Unlinkd pipe opened on FD 10
2008/02/18 16:32:29| Swap maxSize 10240000 KB, estimated 787692 objects
2008/02/18 16:32:29| Target number of buckets: 39384
2008/02/18 16:32:29| Using 65536 Store buckets
2008/02/18 16:32:29| Max Mem size: 8192 KB
2008/02/18 16:32:29| Max Swap size: 10240000 KB
2008/02/18 16:32:29| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2008/02/18 16:32:29| Rebuilding storage in /var/cache/squid (CLEAN)
2008/02/18 16:32:29| Using Least Load store dir selection
2008/02/18 16:32:29| Current Directory is /
2008/02/18 16:32:29| Loaded Icons.
2008/02/18 16:32:29| Accepting accelerated HTTP connections at 0.0.0.0,
port 80, FD 12.
2008/02/18 16:32:29| Accepting accelerated HTTP connections at 0.0.0.0,
port 8888, FD 13.
2008/02/18 16:32:29| Accepting HTTPS connections at 0.0.0.0, port 443,
FD 14.
2008/02/18 16:32:29| Accepting ICP messages at 0.0.0.0, port 3130, FD
15.
2008/02/18 16:32:29| WCCP Disabled.
2008/02/18 16:32:29| Configuring Parent 192.1.0.59/443/0
2008/02/18 16:32:29| Configuring Parent 192.1.0.59/8888/0
2008/02/18 16:32:29| Ready to serve requests.

All I really want to do is setup a http accelerator for this internal
website. I have read everything I can find about this and I guess I do
not understand the options. I do know that the option in the squid.conf
change rapidly and I am not running the newest version. I am running the
version that is loaded on my Red Hat server. I have downloaded the
newest version and am planning an upgrade very soon, but I am needing to
get this going first.

Thanks,
Keith
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@treenet.co.nz]
> Sent: Monday, February 18, 2008 5:13 PM
> To: Keith M. Richard
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Random image generator w/ reverse-proxy
>
> > All,
> >
> > I have a web page on my site that has a randomly
generated
> > image (Alpha numeric picture) to allow users to register. I am using
> squid
> > as an accelerator in my DMZ to this internal web server. Right now
the
> > image is coded as an unsecured (http) link/servlet on port 8888,
which
> is
> > just a random port. This is embedded in a HTTPS page. If I don't use
> squid
> > it works but through squid if fails to display the image.
> > I have checked the firewall and it is properly
configured.
> > When I check the firewalls log, it shows the request to 8888 from
the
> > outside, but those same requests are never passed through squid for
some
> > reason. I have also run Wireshark on the squid server to capture the
> > traffic as users made requests and I see the TCP [SYN] from the
client
> to
> > the squid servers IP address, but then the squid sends a TCP [RST,
ACK].
> > When I watch the same request being made from the squid server
running
> > FireFox to the internal web server it makes the handshake. I cannot
> figure
> > out why the reset is happening.
>
> You have a forwarding loop in the config below.
>
> > I modified the logformat so that I can get some readable
data
> and
> > this is what I get from the output:
> >
> > 18/Feb/2008:13:03:12 -0600 xxx.xxx.xxx.xxx:51651 192.168.0.135:8888
> > TCP_MISS/404 697 GET
> > http://www.my-company.org/randomimages/servlet/org.groupbenefits.por
> > tal.RandomImageGenServlet? FIRST_UP_PARENT/192.1.0.59 text/html
> >
> > ******************************************************************
> > # Basic config
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto http cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 8080 # safe
> > acl Safe_ports port 8888 # safe
>
> Check #1. access to port 8888 is possible. Great.
>
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> >
> > # Accelerator Mode
> > http_port 80 defaultsite=www.my-company.org
>
> check #2. squid is configured as accel or vhost? NOPE.
>
> > http_port 192.1.0.59:8888 defaultsite=www.my-company.org
>
> note #1. squid is itself 192.1.0.59:8888. we come back to this later.
>
> > https_port 443 cert=/etc/squid/cert/portalcert.pem
> > key=/etc/squid/cert/key.pem defaultsite=www.my-company.org
>
> note #2. squid is itself 0.0.0.0:443. we come back to this later.
>
> > cache_peer 192.1.0.59 parent 443 0 no-query originserver ssl
login=PASS
> > name=www.my-company.org
>
> so squid is its own parent (see note #2)? All requests destined there
will
> detect a loop and die after timeouts.
>
> > cache_peer 192.1.0.59 parent 8888 0 no-query originserver
>
> so squid is its own parent (see note #1)? All requests destined there
will
> detect a loop and die after timeouts.
>
> > visible_hostname www.my-company.org
> > acl ourSite dstdomain www.my-company.org
> > http_access allow ourSite
>
> Okay. so it _IS_ supposed to be an accelerator. Right now its just an
open
> proxy for that domain. This is why check #2 failed.
>
> >
> > # Log file and cache options
> > logformat squid %tl %>a:%>p %la:%lp %Ss/%03Hs %<st %rm %ru %Sh/%<A
%mt
> > cache_dir ufs /var/cache/squid 100 16 256
> > cache_swap_low 90
> > cache_swap_high 95
> > access_log /var/log/squid/access.log squid
> > cache_log /var/log/squid/cache.log
> > cache_store_log /var/log/squid/store.log
>
> no need for that just set it to 'none' save yourself some disk I/O.
>
> > pid_filename /var/spool/squid/squid.pid
> >
> > #Cache Manager settings
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny all
>
> Okay. So there are two parent data sources: squid or squid. Neither of
> which will ever finish looping the request back to squid.
> And if you are lucky you have another IP registerd for
www.my-company.org
> which squid can use to pull the www data from directly. Otherwise you
are
> left with an implicit peer via DIRECT (www.my-company.org A
192.1.0.59),
> which surprise-surprise has the same effect a both configured peers.
>
> Can you see the problem?
>
> cache_peer MUST NOT loop back to the squid listening ports. In the
absence
> of configured routing inside squid, it accepts any input from its
> http(s)_port's and requests from any available cache_peer or DIRECT
from
> the DNS-resolved web server.
>
> What you need to do is set the cache_peer IP to being the real
(secret) IP
> of the original web servers for the site and extras. Publish the
public IP
> of squid in DNS as www.my-company.org. And set either a
cache_peer_access
> or cache_peer_domain to route the requests to the proper peer.
>
> Given that you are using a port/url-based determiner for the image
> servlet. I would suggest cache_peer_access with various ACL to direct
> requets to the right place.
>
> Amos
>
Received on Tue Feb 19 2008 - 07:47:25 MST