Tom Williams wrote:
> Amos Jeffries wrote:
>> Tom Williams wrote:
>>> Ok, now that I've basically got Squid 3 configured as a HTTP
>>> accelerator, I have a question about ACL rules and http_access.
>>>
>>> Here is the basic config: I've got two web servers behind a load
>>> balancer. The idea is to have Squid server as a HTTP accelerator
>>> for Apache so it will cache static content (like global site
>>> graphics, etc) leaving Apache to deal with traffic that requires
>>> database access.
>>>
>>> Here are my configuration lines:
>>>
>>> acl directIP dst aaa.bbb.ccc.ddd/32
>>> acl website dstdomain .mydomain.com
>>>
>>> #Recommended minimum configuration:
>>> #
>>> # Only allow cachemgr access from localhost
>>> http_access allow manager localhost
>>> http_access deny manager
>>> # Deny requests to unknown ports
>>> http_access deny !Safe_ports
>>> # Deny CONNECT to other than SSL ports
>>> http_access deny CONNECT !SSL_ports
>>> #
>>> # We strongly recommend the following be uncommented to protect innocent
>>> # web applications running on the proxy server who think the only
>>> # one who can access services on "localhost" is a local user
>>> http_access deny to_localhost
>>> #
>>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>>
>>> # Example rule allowing access from your local networks.
>>> # Adapt localnet in the ACL section to list your (internal) IP networks
>>> # from where browsing should be allowed
>>> http_access allow localnet
>>> http_access allow directIP
>>> http_access allow website
>>>
>>> # And finally deny all other access to this proxy
>>> http_access deny all
>>>
>>>
>>> Now, when I point my browser at:
>>>
>>> http://aaa.bbb.ccc.ddd/
>>>
>>> I get an access denied 403 error page from Squid.
>>>
>>> If I point my browser at:
>>>
>>> http://www.mydomain.com/
>>>
>>> It works just fine. www.mydomain.com resolves to the
>>> aaa.bbb.ccc.ddd. IP address.
>>>
>>> Why does the domain work yet the IP doesn't? What am I missing?
>>>
>>
>> All of the actual acceleration bits :)
>> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>>
>>
>> Amos
>
> Thanks for the suggestion. I had looked at that article before but it
> didn't address my problem, unfortunately.
You said "The idea is to have Squid server as a HTTP accelerator" -
accelerator being another name for reverse-proxy.
What you have configured is a standard forward-proxy. Which has been
configured as an open-proxy with global access somewhat limited to the
domains *.mydomain.com and an IP address, presumably the proxy itself.
The critical pieces of an accelerator as described by the Squid FAQ are
some accelerator flags "http_port 80 accel vhost
destdomain=mydomain.com" and the correct configuration of cache_peer
entries to indicate where the true hidden data source for squid is.
> Is there a way to enable
> some debug level that will log exceptions processing the http_access
> rules? I'm getting TCP_DENIED/403 messages in access.log, like this:
>
> 1224898553.333 2 www.xxx.yyy.zzz TCP_DENIED/403 2434 GET
> http://aaa.bbb.ccc.ddd/ - NONE/- text/html
>
> yet I can't generate any debug info to provide more information as to
> why the TCP_DENIED was issued.
Because the IP aaa.bbb.ccc.ddd is squid yes?
Squid forward-proxy requested for itself gets... itself, which gets ...
itself....and so on until things go barf.
Amos
-- Please use Squid 2.7.STABLE4 or 3.0.STABLE9Received on Sat Oct 25 2008 - 13:25:32 MDT
This archive was generated by hypermail 2.2.0 : Sat Oct 25 2008 - 12:00:03 MDT