[squid-users] RE: Reverse Proxy that listens and forwards to multiple ports to the same backend server

I should have mentioned I am running Squid3.0 Stable 18

> -----Original Message-----
> From: Andy Litzinger
> Sent: Wednesday, August 12, 2009 10:03 AM
> To: 'squid-users_at_squid-cache.org'
> Subject: Reverse Proxy that listens and forwards to multiple ports to
> the same backend server
>
> Hi all,
> I'm banging my head on what I think should be a simple config. I
> want squid to receive requests on port 80 and forward them on to the
> origin server on port 80. I also want squid to receive requests on
> port 8081 and forward requests to the same origin server on port 8081.
>
> I have a Load Balancer (BigIP) sitting in front of my Squid server and
> the origin server Squid points to is also actually a VIP on the LB that
> sits in front of a pool of real origin servers.
>
> The goal is simple proxy- I'm not caching anything (that is working
> fine).
>
> Clients connect to http/https://my.test.com
> This resolves in my DNS to 192.168.94.225, a VIP hosted on the LB that
> forwards traffic on to Squid.
> The origin server VIP for the content is 192.168.94.226
>
>
> This is what the flows should look like focusing only on the
> destination TCP port as it goes through each device:
> Desired HTTP request flow:
> Request port 80 ---> LB ---> request port 80 ---> Squid ---> request
> port 80 ---> origin VIP on LB ----> request port 8080 ---> server
> listening on port 8080
>
> Desired HTTPS request flow:
> Request port 443 ---> LB (SSL offload) ---> request port 8081 --->
> Squid ---> request port 8081 ---> Origin VIP on LB ----> request port
> 8081 ---> server listening on port 8081
>
>
> What I see happening for the HTTPS requests is that the request arrives
> properly at the squid server on port 8081, but squid forwards the
> request to the Origin VIP on port 80 instead of 8081.
>
> Here is the config I'm trying:
>
> http_port 80 accel defaultsite=my.test.com
> http_port 8081 accel defaultsite=my.test.com
> icp_port 0
> htcp_port 0
> snmp_port 3401
>
> debug_options ALL,1 33,2
>
> cache_peer 192.168.94.226 parent 80 0 no-query no-digest originserver
> name=my_test
> cache_peer 192.168.94.226 parent 8081 0 no-query no-digest originserver
> name=my_test_ssl
>
> acl our_http_port port 80
> acl our_ssl_port port 8081
> acl my_test_dom dstdomain my.test.com
>
> cache_peer_access my_test_ssl allow our_ssl_port my_test_dom
> cache_peer_access my_test_ssl deny all
>
> cache_peer_access my_test allow our_http_port my_test_dom
> cache_peer_access my_test deny all
>
> # acl to block caching
> acl our_sites dstdomain .test.com
> # acl listing the IP of each vip
> acl vips dst 192.168.94.225
> acl acceleratedPort port 80 8081
>
> # we do NOT want the responses to
> # any requests to be cached.
> cache deny our_sites
> # Allow requests to make it through to the VIPs
> # but only on the expected ports
> http_access allow vips acceleratedPort
> http_access deny all
> http_reply_access allow all
>
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname testproxy.test.com
> unique_hostname testsquid01
>
> client_db off
> uri_whitespace allow
> strip_query_terms off
> relaxed_header_parser on
> minimum_expiry_time 30 seconds
>
> request_header_access Accept-Encoding deny all
>
> any suggestions?
>
> Thanks!
> Andy
Received on Wed Aug 12 2009 - 17:41:51 MDT