RE: [squid-users] Problem with Reverse Proxy and multiple domains

From: Drew Wrobel <phoenix1972_at_hotmail.com>
Date: Tue, 3 Mar 2009 13:26:22 -0500

I made the changes you suggested, but I started getting the following error messages in the log:

123456.com w.x.y.z - - [03/Mar/2009:12:09:45 -0500] "GET http://123456.com/ HTTP/1.1" 403 1379 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" TCP_DENIED:NONE

When I went to the web site and I get the squid ERR_ACCESS_DENIED page instead.

Here are the new lines that I had put in as you suggested. Not sure if I over did it with the http_access lines.

Had one question thought. Since the web-server is handling both www.123456.com and 123456.com, is the first acl valid
for both?

I also took out the entries for abcdev and 987zyx and still doesn't work. What am I missing/doing wrong.

http_port 80 accel vhost

acl 123456 dstdomain 123456.com
acl abcdef dstdomain abcdef.com
acl 987zyx dstdomain 987zyx.com

cache_peer_access 192.168.2.10 allow 123456
cache_peer_access 192.168.2.10 allow abcdef
cache_peer_access 192.168.2.10 allow 987zyx
cache_peer_access 192.168.2.10 deny all
http_access allow 123456
http_access allow abcdef
http_access allow 987zyx

cache_peer_access 192.168.2.11 allow 123456
cache_peer_access 192.168.2.11 allow abcdef
cache_peer_access 192.168.2.11 allow 987zyx
cache_peer_access 192.168.2.11 deny all
http_access allow 123456
http_access allow abcdef
http_access allow 987zyx

cache_peer_access 192.168.2.12 allow 123456
cache_peer_access 192.168.2.12 allow abcdef
cache_peer_access 192.168.2.12 allow 987zyx
cache_peer_access 192.168.2.12 deny all
http_access allow 123456
http_access allow abcdef
http_access allow 987zyx

http_access deny all
never_direct allow all

> Date: Tue, 3 Mar 2009 11:10:08 +1300
> Subject: Re: [squid-users] Problem with Reverse Proxy and multiple domains
> From: squid3_at_treenet.co.nz
> To: phoenix1972_at_hotmail.com
> CC: squid-users_at_squid-cache.org
>
>>
>> I'm currently running Squid 2.6 stable 22 as a caching server.
>>
>> It is acting as a front-end for bunch of servers answering for
>> www.123456.com and 123456.com. Without any problems.
>>
>> I have updated the apache configuring for handling web traffic for
>> www.abcdef.com=2C abcdef.com=2C www.987zyx.com and 987zyx.com.
>>
>> If I hit the web servers with the various domains=2C I get the desired web
>> site without any problems.
>>
>> The problem I'm running into with Squid is that no matter what domain I
>> enter, squid is treating all the traffic for www.123456.com.
>>
>> So if I enter www.987zyx.com via squid=2C I go the www.123456.com web site
>> instead.
>>
>> Here is a copy of the squid configuration I'm using. What am I doing
>> wrong?
>>
>
> Using the broken and obsolete squid-2.5 method of 'acceleration'.
>
> I've placed incline alterations to update this to 2.6 requirements...
>
>>
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>>
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>> coredump_dir /var/cache/squid
>
>> http_port 80 accel vport
>
> http_port 80 accel vhost
>
>> cache_peer 192.168.2.10 parent 80 0 no-query originserver round-robin
>> login=PASS
>> cache_peer 192.168.2.11 parent 80 0 no-query originserver round-robin
>> login=PASS
>> cache_peer 192.168.2.12 parent 80 0 no-query originserver round-robin
>> login=PASS
>
> KILL this:
>> acl webserver dst 192.168.2.10 192.168.2.11 192.168.2.12
>
> acl 123456 dstdomain .123456.com
>
> (if you want to be VERY tricky:
> acl 123456 dst 192.168.2.10
> )
>
> cache_peer_access 192.168.2.10 allow 123456
> cache_peer_access 192.168.2.10 deny all
> http_access allow 123456
>
> ... repeat as appropriate for each webserver. Including _separate_ ACLs
> for each one.
>
> Followed with:
> http_access deny all
> never_direct allow all
>
> Kill all the below http_*:
>
>> http_access allow webserver
>> http_access allow all
>> miss_access allow webserver
>> miss_access allow all
>> http_access deny all
>>
>
>> icp_access deny all
>>
>> acl loadbalancer1 src 192.168.3.125
>> acl loadbalancer2 src 192.168.3.126
>> follow_x_forwarded_for allow loadbalancer1
>> follow_x_forwarded_for allow loadbalancer2
>> follow_x_forwarded_for allow all
>> acl_uses_indirect_client on
>> delay_pool_uses_indirect_client on
>> log_uses_indirect_client on
>>
>> logformat combined %{Host}>h %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h"
>> "%{User-Agent}>h" %Ss:%Sh
>> access_log /var/log/squid/access.log combined
>> collapsed_forwarding on
>> vary_ignore_expire on
>>
>> cache_effective_user squid
>> cache_store_log none
>> client_db off
>> cache_mem 512 MB
>> cache_dir ufs /var/cache/squid 3000 10 10
>>
>
> Amos
>
>

_________________________________________________________________
HotmailŪ is up to 70% faster. Now good news travels really fast.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_70faster_032009
Received on Tue Mar 03 2009 - 18:26:32 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 04 2009 - 12:00:02 MST