[squid-users] Reverse Proxy that listens and forwards to multiple ports to the same backend server

From: Andy Litzinger <Andy.Litzinger_at_theplatform.com>
Date: Wed, 12 Aug 2009 10:03:03 -0700

Hi all,
  I'm banging my head on what I think should be a simple config. I want squid to receive requests on port 80 and forward them on to the origin server on port 80. I also want squid to receive requests on port 8081 and forward requests to the same origin server on port 8081.

I have a Load Balancer (BigIP) sitting in front of my Squid server and the origin server Squid points to is also actually a VIP on the LB that sits in front of a pool of real origin servers.

The goal is simple proxy- I'm not caching anything (that is working fine).

Clients connect to http/https://my.test.com
This resolves in my DNS to 192.168.94.225, a VIP hosted on the LB that forwards traffic on to Squid.
The origin server VIP for the content is 192.168.94.226

This is what the flows should look like focusing only on the destination TCP port as it goes through each device:
Desired HTTP request flow:
Request port 80 ---> LB ---> request port 80 ---> Squid ---> request port 80 ---> origin VIP on LB ----> request port 8080 ---> server listening on port 8080

Desired HTTPS request flow:
Request port 443 ---> LB (SSL offload) ---> request port 8081 ---> Squid ---> request port 8081 ---> Origin VIP on LB ----> request port 8081 ---> server listening on port 8081

What I see happening for the HTTPS requests is that the request arrives properly at the squid server on port 8081, but squid forwards the request to the Origin VIP on port 80 instead of 8081.

Here is the config I'm trying:

http_port 80 accel defaultsite=my.test.com
http_port 8081 accel defaultsite=my.test.com
icp_port 0
htcp_port 0
snmp_port 3401

debug_options ALL,1 33,2

cache_peer 192.168.94.226 parent 80 0 no-query no-digest originserver name=my_test
cache_peer 192.168.94.226 parent 8081 0 no-query no-digest originserver name=my_test_ssl

acl our_http_port port 80
acl our_ssl_port port 8081
acl my_test_dom dstdomain my.test.com

cache_peer_access my_test_ssl allow our_ssl_port my_test_dom
cache_peer_access my_test_ssl deny all

cache_peer_access my_test allow our_http_port my_test_dom
cache_peer_access my_test deny all

# acl to block caching
acl our_sites dstdomain .test.com
# acl listing the IP of each vip
acl vips dst 192.168.94.225
acl acceleratedPort port 80 8081

# we do NOT want the responses to
# any requests to be cached.
cache deny our_sites
# Allow requests to make it through to the VIPs
# but only on the expected ports
http_access allow vips acceleratedPort
http_access deny all
http_reply_access allow all

cache_effective_user squid
cache_effective_group squid
visible_hostname testproxy.test.com
unique_hostname testsquid01

client_db off
uri_whitespace allow
strip_query_terms off
relaxed_header_parser on
minimum_expiry_time 30 seconds

request_header_access Accept-Encoding deny all

any suggestions?

Thanks!
 Andy
Received on Wed Aug 12 2009 - 17:03:20 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 13 2009 - 12:00:03 MDT