Re: [squid-users] Squid as a non caching reverse proxy on Windows

On Sun, 23 Aug 2009 22:44:26 +0100, Lyle <webmaster_at_cosmicperl.com> wrote:
> Amos Jeffries wrote:
>> Lyle wrote:
>>> Hi All,
>>> I've been having some trouble getting this setup. Initially I was
>>> following a guide that didn't use a reverse proxy:-
>>> http://news.ycombinator.com/item?id=612419
>>> Which worked great locally, but not for any other computers. So I
>>> figured it was missing a reverse proxy. I've managed to get Squid
>>> installed and running on windows after following:-
>>> http://www.ausgamers.com/features/read/2638752
>>>
>>> The issue is configuring it to act as a non caching reverse proxy, I
>>> tried reading:-
>>> http://www.visolve.com/squid/whitepapers/reverseproxy.php
>>> But the internal DNS bits at the bottoms aren't clear and left me at
>>> a loss.
>>> I also read:-
>>> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>>> But found it difficult to follow.
>>>
>>> Here is what I'm trying to achieve:-
>>>
>>> I have one public IP, let's call it 100.100.100.100. In my local
>>> network I have multiple machines. Two of them are 192.168.1.10 and
>>> 192.168.1.20
>>> On 192.168.1.10 I have Squid installed bound to 127.0.0.1:80 and both
>>> IIS7 and Apache 2.2 on the same machine. Apache bound to 127.0.0.2:80
>>> and IIS 127.0.0.3:80. 192.168.1.20 has Apache bound to port 80.
>>>
>>> Apache is serving test1.domain.com and IIS test2.domain.com, Apache
>>> on 192.168.1.20 is serving test3.domain.com.
>>> In my local etc/hosts file I've got:-
>>> test1.domain.com 127.0.0.2
>>> test2.domain.com 127.0.0.3
>>> test3.domain.com 192.168.1.20
>>> Which works great locally.
>>>
>>> domain.com is hosted on an external server. I've updated it's DNS
>>> records with a new entry for test1 2 and 3 pointing to
>>> 100.100.100.100. If I ping any of them it get 100.100.100.100
>>>
>>> All I need is the squid config to get the incoming requests and
>>> forward to the correct local server based on domain name. But I just
>>> can't seem to get my head around it, or find any straight forwards
>>> guides online.
>>>
>>> Pls help :(
>>
>>
>> Hi Lyle,
>> That first tutorial seems to omit any info what its goal really is
>> and has confused you terribly.
>>
>> Your Squid should _NOT_ be one of the apps listening on 127.0.0.*
>>
>> 127.0.0.* access is a private range only available to programs running
>> on the same machine. When you have a public-facing Squid reverse proxy
>> on the same machine for two web servers it makes sense to place the
>> web servers on 127.*. But the Squid still has to be listening on
>> 192.168.1.20 or 100.100.100.100.
>>
>>
>> Setup your Squid like this to handle multiple virtual-hosted domains:
>> http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting
>>
>> and add these bits to it for handing multiple web servers:
>> http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers
>>
>>
>> Note that with dstdomain ACL and others Squid does not need to use DNS
>> to figure out which web server each requests goes to. So hosts file is
>> not used.
>>
>> The public-facing DNS should of course point all domains the three
>> software service at the Squid listening IP so people can access them.
>>
>> Amos
>
> Thanks Amos,
> I've followed those pages and managed to get it working :) The only
> things I'll note for anyone else that finds this post are:-
> * The order in which the conf appears is very important.

_always_ true for squid.conf regardless of the config.

Google says its closing on the 5,000th anniversary of us saying this to
exact phrase to people:
http://www.google.co.nz/search?q=squid+%22order+is+important%22

It's probably the most-mentioned FAQ entry around.

> * To allow anyone in to view http from the internet:-
> #http_access deny all
> http_access allow all

Eeek. No, no , no.

The config was clear. Setup an ACL listing the domains you are hosting.
Permit access to just them not the rest of the Internet via your proxy.
The recommended config makes Squid act as a partial firewall for attack
requests. With 'http_access allow all' your backend will be wide open to
any faked domain lookup designed to hog resources and DoS you.

> * If people can't get in from the internet check your firewall and open
> port 80

:)

Amos
Received on Mon Aug 24 2009 - 00:26:14 MDT