Hi there.
Currently we are running squid 2.5.STABLE3 under RHEL3. However, this
week our ssl certificate will expire and the new certificate is a
chained certificate, which is not supported by that version of squid.
Also it is an old server in need of an upgrade, so we are trying to
configure squid 2.6.STABLE21 (running under RHEL 5.3) as a reverse
proxy, but after reading the documentation, the FAQ and many emails
from the email lists we still can't figure out what we are doing
wrong.
- We have 4 web sites with public IPs x.y.z.47, x.y.z.48, x.y.z.49 and
x.y.z.50.
Each web site is hosted on a different server with Ips x.y.z.247,
x.y.z.248, x.y.z.249 and x.y.z.250 (x.y.z.47 goes to x.y.z.247, etc)
Our DNS server runs on the same box as squid.
- x.y.z.48 is using ssl connections.
- With the current configuration www.mywebsite.ca and
www1.mywebsite.ca work, but when trying to go to the other websites we
get to www.mywebsite.ca instead.
If we remove the # from the cache_peer_domain lines then the only
website accessible is www1.mywebsite.ca. The other websites time out
and we get this error message:
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.mywebsite.ca/
The following error was encountered:
* Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any
parent caches. The most likely cause for this error is that:
* The cache administrator does not allow this cache to make direct
connections to origin servers, and
* All configured parent caches are currently unreachable.
Your cache administrator is root.
Generated Tue, 19 May 2009 17:16:35 GMT by www1.mywebsite.ca
(squid/2.6.STABLE21)
- It's our understanding that squid uses /etc/squid/hosts to have the
hostnames redefined and to get traffic to the backend servers. So if
the client requests www.mywebsite.ca, with dns record is x.y.z.47,
squid uses the hosts file to resolve www.mywebsite to x.y.z.247. Is
this correct?
- We also want to avoid people connecting to the websites using any
Ips (either x.y.z.47, .48, etc or x.y.z.247, .248, etc)
Below you can find the configuration files. Please let me know if you
need more information. I'd really appreciate if you could point me in
the right direction.
#Squid.conf [version 2.5.STABLE3]:
#-----------------------------------------------------
http_port 80
https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem
key=/etc/squid/certs/ww1key.pem version=1
icp_port 0
cache_dir null /tmp
acl all_no_cache src 0/0
no_cache deny all_no_cache
#Path to the host file hosts_file /etc/squid/hosts
httpd_accel_host virtual
httpd_accel_uses_host_header on
visible_hostname www1.mywebsite.ca
acl all src 0.0.0.0/0.0.0.0
acl mynet src x.y.z.0/255.255.255.0
http_access allow all
http_access allow mynet
http_access deny all
#squid.conf version 2.6.STABLE21
#-------------------------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
acl mynet src x.y.z.0/255.255.255.0
http_access allow all
http_access allow mynet
http_access allow localhost
http_access deny all
icp_access allow all
http_port 80 accel vhost
https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem
key=/etc/squid/certs/ww1key.pem version=1 accel vhost
cache_peer x.y.z.247 parent 80 0 no-query no-digest originserver
name=www_mywebsite
cache_peer x.y.z.248 parent 80 0 no-query no-digest originserver
name=www1_mywebsite
cache_peer x.y.z.249 parent 80 0 no-query no-digest originserver
name=www_mywebsiteusa
cache_peer x.y.z.250 parent 80 0 no-query no-digest originserver name=webmail
#cache_peer_domain www_mywebsite www.mywebsite.ca
#cache_peer_domain www1_mywebsite www1.mywebsite.ca
#cache_peer_domain www_mywebsiteusa www.mywebsiteusa.com
#cache_peer_domain webmail web.mywebsite.ca
#acl acl_www_mywebsite dstdomain www.mywebsite.ca
#acl acl_www1_mywebsite dstdomain www1.mywebsite.ca
#acl acl_www_mywebsiteusa dstdomain www.mywebsiteusa.com
#acl acl_webmail dstdomain webmail.mywebsite.ca
hierarchy_stoplist cgi-bin ?
cache_dir null /tmp
access_log /var/log/squid/access.log squid acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname www1.mywebsite.ca
hosts_file /etc/squid/hosts
coredump_dir /var/spool/squid
#/etc/squid/hosts
-----------------------------------------------------------
x.y.z.247 www.mywebsite.ca
x.y.z.248 www1.mywebsite.ca
x.y.z.249 www.mywebsiteusa.com
x.y.x.250 webmail.mywebsite.ca
Thanks a lot.
Joaquin Puga.
Received on Tue May 19 2009 - 20:40:50 MDT
This archive was generated by hypermail 2.2.0 : Wed May 20 2009 - 12:00:02 MDT