Re: [squid-users] Reverse Proxy + Multiple Webservers woes from Amos Jeffries on 2009-04-07 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 8 Apr 2009 14:39:14 +1200 (NZST)

> Hello,
>
> I am new to squid but not new to reverse proxies. I am trying to
> implement a proxy that would work like this:
>
> www.example.com -> server 1
> example.com -> server 1
> dev.example.com -> server 2
>
> I have read the wiki here:
> wiki.squid-cache.org/SquidFaq/ReverseProxy
>
> But I cant get it to work and I am about to pull my hair out.
>
> My squid.conf looks like:
> --------
> http_port 80 accel defaultsite=example.com
> cache_peer 192.168.1.114 parent 80 0 no-query originserver name=server_2
> cache_peer_domain server_2 dev.example.com
> cache_peer 192.168.1.115 parent 80 0 no-query originserver name=server_1
> cache_peer_domain server_1 example.com
> --------
>
> This gives me a big fat: "Access Denied"
>
> So I added this to my squid.conf:
> -------
> acl our_sites dstdomain example.com dev.example.com
> http_access allow our_sites
> -------
>

Correct.

> This clears the "Access Denied" however now all traffic goes to "server_1"
> (the .115 addy).

This is because cache_peer_domain lists a set of domain suffixes, ie it
has an implicit wildcard built-in to the domain pattern *.example.com /
*.dev.example.com.

>
> I have tried all sorts of cute ACLs included but not limited to delcaring
> ACSs for server_1 and server_2 respectively and allowing access to
> server_1 from server_1 sites and denying server_2 sites and vice versa.
> However this just gives me an "Access Denied" for all sites.
>
> I have also tired every example found on this issue in the Wiki. I feel
> like the Wiki is leaving out a key config line that is causing this not to
> work, but I could be wrong.

You can't cleanly mix the cache_peer_domain and cache_peer_access.
Perhapse you were doing that.

I think you want this:

http_port 80 accel defaultsite=example.com

cache_peer 192.168.1.114 parent 80 0 no-query originserver name=server_2

  acl dev dstdomain dev.example.com
  cache_peer_access server_2 allow dev
  cache_peer_access server_2 deny all
  http_access allow dev

cache_peer 192.168.1.115 parent 80 0 no-query originserver name=server_1

  acl www dstdomain example.com www.example.com
  cache_peer_access server_1 allow www
  cache_peer_access server_1 deny all
  http_access allow www

http_access deny all

If you are still having problems with the above, then I think the error is
elsewhere than the peering config.

>
> I am runnig squid:
> Squid Cache: Version 2.7.STABLE6
> configure options: '--disable-internal-dns'

Good idea to re-enable that.

Amos
Received on Wed Apr 08 2009 - 01:39:17 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 08 2009 - 12:00:02 MDT