> Hi there.
>
> Currently we are running squid 2.5.STABLE3 under RHEL3. However, this
> week our ssl certificate will expire and the new certificate is a
> chained certificate, which is not supported by that version of squid.
> Also it is an old server in need of an upgrade, so we are trying to
> configure squid 2.6.STABLE21 (running under RHEL 5.3) as a reverse
> proxy, but after reading the documentation, the FAQ and many emails
> from the email lists we still can't figure out what we are doing
> wrong.
>
> - We have 4 web sites with public IPs x.y.z.47, x.y.z.48, x.y.z.49 and
> x.y.z.50.
> Each web site is hosted on a different server with Ips x.y.z.247,
> x.y.z.248, x.y.z.249 and x.y.z.250 (x.y.z.47 goes to x.y.z.247, etc)
> Our DNS server runs on the same box as squid.
>
> - x.y.z.48 is using ssl connections.
>
> - With the current configuration www.mywebsite.ca and
> www1.mywebsite.ca work, but when trying to go to the other websites we
> get to www.mywebsite.ca instead.
>
> If we remove the # from the cache_peer_domain lines then the only
> website accessible is www1.mywebsite.ca. The other websites time out
> and we get this error message:
>
> ERROR
> The requested URL could not be retrieved
>
> While trying to retrieve the URL: http://www.mywebsite.ca/
>
> The following error was encountered:
>
> * Unable to forward this request at this time.
>
> This request could not be forwarded to the origin server or to any
> parent caches. The most likely cause for this error is that:
>
> * The cache administrator does not allow this cache to make direct
> connections to origin servers, and
> * All configured parent caches are currently unreachable.
>
> Your cache administrator is root.
> Generated Tue, 19 May 2009 17:16:35 GMT by www1.mywebsite.ca
> (squid/2.6.STABLE21)
>
> - It's our understanding that squid uses /etc/squid/hosts to have the
> hostnames redefined and to get traffic to the backend servers. So if
> the client requests www.mywebsite.ca, with dns record is x.y.z.47,
> squid uses the hosts file to resolve www.mywebsite to x.y.z.247. Is
> this correct?
Not for reverse proxies. The destination is solely dependant on the
'address/host' value in cache_peer. If its an IP that is used. If its a
FQDN then DNS is checked on startup/reconfigure. Hosts file overrides DNS.
Your attempted squid.conf using IPs (x.y.z.247 etc) is the best way to go.
>
> - We also want to avoid people connecting to the websites using any
> Ips (either x.y.z.47, .48, etc or x.y.z.247, .248, etc)
>
see notes inline with your 2.6 config.
>
> Below you can find the configuration files. Please let me know if you
> need more information. I'd really appreciate if you could point me in
> the right direction.
>
> #Squid.conf [version 2.5.STABLE3]:
> #-----------------------------------------------------
> http_port 80
> https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem
> key=/etc/squid/certs/ww1key.pem version=1
> icp_port 0
> cache_dir null /tmp
> acl all_no_cache src 0/0
> no_cache deny all_no_cache
> #Path to the host file hosts_file /etc/squid/hosts
> httpd_accel_host virtual
> httpd_accel_uses_host_header on
> visible_hostname www1.mywebsite.ca
> acl all src 0.0.0.0/0.0.0.0
> acl mynet src x.y.z.0/255.255.255.0
> http_access allow all
> http_access allow mynet
> http_access deny all
>
>
> #squid.conf version 2.6.STABLE21
> #-------------------------------------------------
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> acl mynet src x.y.z.0/255.255.255.0
> http_access allow all
> http_access allow mynet
> http_access allow localhost
> http_access deny all
> icp_access allow all
Kill all of the above http_access and icp_access. It's not needed and
prevents Squid from halting bad requests early in the process.
>
> http_port 80 accel vhost
> https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem
> key=/etc/squid/certs/ww1key.pem version=1 accel vhost
Correct.
>
> cache_peer x.y.z.247 parent 80 0 no-query no-digest originserver
> name=www_mywebsite
> cache_peer x.y.z.248 parent 80 0 no-query no-digest originserver
> name=www1_mywebsite
> cache_peer x.y.z.249 parent 80 0 no-query no-digest originserver
> name=www_mywebsiteusa
> cache_peer x.y.z.250 parent 80 0 no-query no-digest originserver
> name=webmail
Correct.
Here is where things go askew slightly. You need some controls to branch
the requests to the right peer based on the domain wanted.
>
> #cache_peer_domain www_mywebsite www.mywebsite.ca
> #cache_peer_domain www1_mywebsite www1.mywebsite.ca
> #cache_peer_domain www_mywebsiteusa www.mywebsiteusa.com
> #cache_peer_domain webmail web.mywebsite.ca
They should work. It's the crude hammer way to do it, but simple when you
don't have sub-domain clauses (ie *.mywebsite.ca EXCEPT www1.mywebsite.ca
and webmail.mywebsite.ca).
If you only want www.mywebsite.ca, www1.mywebsite.ca, webmail.mywebsite.ca
then these will work for you.
Finer control can be gained using ACLs (as you defined below):
>
> #acl acl_www_mywebsite dstdomain www.mywebsite.ca
> #acl acl_www1_mywebsite dstdomain www1.mywebsite.ca
> #acl acl_www_mywebsiteusa dstdomain www.mywebsiteusa.com
> #acl acl_webmail dstdomain webmail.mywebsite.ca
But these only define the ACL lists, they still need to be used:
cache_peer_access www_mywebsite allow acl_www_mywebsite
cache_peer_access www_mywebsite deny all
http_access allow acl_www_mywebsite
... repeat for each peer.
... finish with:
http_access deny all
>
> cache_dir null /tmp
Make sure you have as much RAM as possible and set cache_mem to as big a
value as you can without causing swapping under peak loads.
<snip remainder>
>
> #/etc/squid/hosts
> -----------------------------------------------------------
> x.y.z.247 www.mywebsite.ca
> x.y.z.248 www1.mywebsite.ca
> x.y.z.249 www.mywebsiteusa.com
> x.y.x.250 webmail.mywebsite.ca
>
> Thanks a lot.
>
> Joaquin Puga.
>
HTH
Amos
Received on Wed May 20 2009 - 02:22:16 MDT
This archive was generated by hypermail 2.2.0 : Thu May 21 2009 - 12:00:01 MDT