Re: [squid-users] Reverse proxy and virtual host question

From: <f010f_at_aol.com>
Date: Tue, 15 Sep 2009 20:03:22 -0400

-----Original Message-----
From: Amos Jeffries
Sent: Tue, Sep 15, 2009 8:45 pm
Subject: Re: [squid-users] Reverse proxy and virtual host question

f0..._at_aol.com wrote: 
> Hi all, 
> > I hope you guys can help me as I am still confuse on how squid >
configuration works. 
> > I hosted 3 domains in one server which IP addr is 10.0.0.80. 
> > Basically, I am trying to do reverse proxy and virtual host
scenario: 
> > If people browse public.company.com 
> then it goes to 10.0.0.80 port 80 
> > If people browse private.company.com 
> then it goes to to 10.0.0.80 port 91 
> > If people browse www.company.com 
> then it goes to 10.0.0.80 port 80 
> except people from 192.168.1.0/24 which take them to 10.0.0.80 port
91 
> > I still can not do the scenario above. Can you guys help me with my
> squid.conf please where do I do wrong? 
> > Here is my squid.conf and I am using squid-3.1.0.13 
> > http_port 80 accel defaultsite=www.company.com vhost 
> > cache_peer 10.0.0.80 port 80 0 no-query originserver name=pubAccel 
> cache_peer 10.0.0.80 port 91 0 no-query originserver name=prvAccel 
> > acl pub_sites dstdomain public.company.com 
> acl prv_sites dstdomain private.company.com 
> acl www_sites dstdomain www.company.com 
> > acl internal src 192.168.1.0/24 
> > http_access allow pub_sites 
> http_access allow prv_sites 
> http_access allow www_si
tes 
> > cache_peer_access pubAccel allow pub_sites 
> cache_peer_access pubAccel deny all 
> > cache_peer_access prvAccel allow prv_sites 
> cache_peer_access prvAccel deny all 
>  
You have already specified "deny all" for both prvAccel and pubAccel.
The following lines will never be tested. 
 
> cache_peer_access pubAccel allow pub_sites 
> cache_peer_access prvAccel allow internal 
> cache_peer_access pubAccel deny all 
 
For them to work they need to be placed above the respective "deny all"
lines and matching your access requirements. 
 
For example: 
 
  # If people browse public.company.com ... 
  cache_peer_access pubAccel allow pub_sites !internal 
  # If people browse www.company.com ... except people from internal 
  cache_peer_access pubAccel allow www_sites !internal 
  # nobody else 
  cache_peer_access pubAccel deny all 
 
  # If people browse private.company.com ... 
  cache_peer_access prvAccel allow prv_sites 
  # If people browse www.company.com ... from internal 
  cache_peer_access pubAccel allow internal www_sites 
  # nobody else 
  cache_peer_access prvAccel deny all 
 
One thing I would suggest: also preventing private.* to be accessed
from outside the company. 
 
Which changes the first prvAccel rule to: 
  cache_peer_access prvAccel allow internal prv_sites 
A
0
> > # Below standard configuration from Squid 3.1.0.13 
> acl manager proto cache_object 
> acl localhost src 127.0.0.1/32 
> acl to_localhost dst 127.0.0.0/8 
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network 
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network 
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network 
> acl SSL_ports port 443 
> acl Safe_ports port 80 # http 
> acl Safe_ports port 21 # ftp 
> acl Safe_ports port 443 # https 
> acl Safe_ports port 70 # gopher 
> acl Safe_ports port 210 # wais 
> acl Safe_ports port 1025-65535 # unregistered ports 
> acl Safe_ports port 280 # http-mgmt 
> acl Safe_ports port 488 # gss-http 
> acl Safe_ports port 591 # filemaker 
> acl Safe_ports port 777 # multiling http 
> acl CONNECT method CONNECT 
> http_access allow manager localhost 
> http_access deny manager 
> http_access deny !Safe_ports 
> http_access deny CONNECT !SSL_ports 
> http_access allow localnet 
> http_access allow localhost 
> http_port 3128 
 
For only a reverse proxy you do not need the standard configuration
above. 
 
Simply do: 
  http_access deny all 
 
> hierarchy_stoplist cgi-bin ? 
> coredump_dir /usr/local/squid/var/cache 
> refresh_pattern ^ftp: 1440 20% 10080 
> refresh_pattern ^gopher: 1440 0% 1440 
> refresh_pattern -i (/c
gi-bin/|\?) 0 0% 0 
> refresh_pattern . 0 20% 4320 
> > # End squid.conf 
> > Thanks in advance for your help 
 
Amos 
-- Please be using 
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 
  Current Beta Squid 3.1.0.13 

-----End Message-----

Thank you so much for your time.... I followed your instruction and it
worked
Received on Wed Sep 16 2009 - 00:03:43 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 16 2009 - 12:00:03 MDT