Re: [squid-users] Reverse proxy setup with squid 2.6+

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 01 Mar 2008 22:36:00 +1300

Russ Gnann wrote:
> We are currently looking up upgrade our squid servers from 2.5 to 2.6 or higher. In our current configuration, we send requests to the origin servers to a single IP address that points to a load balancer which is associated with a pool of web servers. In 2.5, this is easy to do with the httpd_accel_* directives, but in 2.6 I know that those directives have been replaced by the http_port directive with accel, vhost, vport, etc. options. I have supplied the squid.conf we are attempting to use below with a build of 2.6. With this configuration, it appears that any connection attempt that doesn't get a cache hit resolves the virtual host, and makes an HTTP connection to that resolved public IP instead sending the request to the internal 10.x.x.11 address.
>
> Is there a way under squid 2.6 and higher to force any request that doesn't make a cache hit to a single backend IP address? The vhost option is necessary with http_port since the Host: header must contain the Virtual Host name as our web servers use that data to determine what which site to serve.
>

You require a cache_peer directive and a cache_peer_access with ACLs.
Those will direct cache-misses to the actual source you configure
without doing the DNS lookups.

Amos

>
> squid build:
> # /opt/squid-2.6.16/sbin/squid -v
> Squid Cache: Version 2.6.STABLE16
> configure options: '--prefix=/opt/squid-2.6.16' '--enable-async-io' '--enable-snmp' '--enable-removal-policies=heap' '--enable-referer-log' '--enable-useragent-log'
>
> ----- squid.conf -----
> acl snmppublic snmp_community local-squid-ro
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl local_network src 172.16.0.0/16 10.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl web_ports port 80
> http_access allow web_ports
> http_access allow manager localhost
> http_access allow manager local_network
> http_access deny manager
> acl purge method PURGE
> http_access allow purge localhost
> http_access allow purge local_network
> http_access deny purge
> http_access allow all
> icp_access allow all
> http_port 80 accel defaultsite=10.x.x.11 vhost
> cache_peer 10.x.x.11 parent 80 0 no-query originserver
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> memory_replacement_policy heap LFUDA
> cache_replacement_policy heap LFUDA
> logformat CustomLog %>a %ui %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" "%{Cookie}>h" %Ss:%Sh
> access_log /opt/squid-2.6.16/var/logs/custom.log CustomLog
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> cache_effective_user www
> cache_effective_group www
> visible_hostname squid.domain.com
>
>
>
> Regards,
>
> Russell

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Sat Mar 01 2008 - 02:35:32 MST

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:04 MDT