Re: [squid-users] Reverce proxy setup with neighboor support

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 17 Dec 2009 10:00:50 +1300

On Wed, 16 Dec 2009 11:50:26 +0000, "Nikolaos Pavlidis"
<Nikolaos.Pavlidis_at_beds.ac.uk> wrote:
> Hello all,
>
> I figured the easiest way to describe what I am trying to do is to...
> draw it. First of all pardon my ignorance since I am relatively new to
> squid. Any help will be much appreciated.
>
>
> The Problem:
>
> Dec 9 17:42:35 cache2 squid[27234]: WARNING: Forwarding loop detected
> for: Client: <cache1_IP> http_port: <cache2_IP>:3128 GET
> internal://site1.domain.com/squid-internal-dynamic/netdb HTTP/1.0 Via:
> 1.0 site1.domain.com:80 (squid) X-Forwarded-For: unknown Host:
> <cache2_IP>:3128 Cache-Control: max-age=259200 Connection:
> keep-alive
>
>
>
>
> Reverse proxy Setup:
>
> O F5 load balanced vhost
> | (DNS A name resolving site1.domain.com
> | site2.domain.com
> | site3.domain.com etc.)
> |
> |---------------|
> | |
> | |
> cache1 O---------------O cache2
> |
> |
> |
> |
> O---------------O--------------O
> web1 web2 web3
> site1 site3 site4
> site2 site5
>
> Desired path:
> 1. Request for site1
> 2. F5 load balances request to cache1
> 3. cache1 checks own cache
> 4. if NO-HIT check cache2
> 5. else go directly to web1
>

Excellent. This is a basic reverse-proxy with virtual hosting.

The error you mentioned earlier indicates:

 1. Request for site1
 2. F5 load balances request to cache1
 3. cache1: checks own cache
 4. cache1: if NO-HIT check cache2
 5. cache2: if NO-HIT check cache1
 6. cache1: if NO-HIT check cache2 ... FAIL!!
 ...

> Server:
> 64bit SLES 11
>
> Configuration file (what I have done so far):
>
> # NETWORK OPTIONS
> #
>
-----------------------------------------------------------------------------
> http_port 80 accel defaultsite=site1.domain.com vhost
> http_port 3128 accel defaultsite=site1.domain.com vhost

There should be no need for port 3128 to be reverse-proxy as well.
Dedicate that or another port to proxy-proxy communications.

> visible_hostname site1.domain.com
> offline_mode off
>
> # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> #
>
-----------------------------------------------------------------------------
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> # OPTIONS WHICH AFFECT THE CACHE SIZE
> #
>
-----------------------------------------------------------------------------
> cache_mem 512 MB
> maximum_object_size 32 KB
> maximum_object_size_in_memory 64 Kb
>
> # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> #
>
-----------------------------------------------------------------------------
> cache_dir aufs /var/cache/squid 61440 16 256
> emulate_httpd_log on
> logfile_rotate 100
> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid/access.log combined
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> debug_options ALL,1,33,3,20,3
>
> # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> #
>
-----------------------------------------------------------------------------
> auth_param basic children 10
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> # OPTIONS FOR TUNING THE CACHE
> #
>
-----------------------------------------------------------------------------
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i \.css 1440 50% 2880 override-expire
> refresh_pattern -i \.swf 1440 50% 2880 ignore-reload
> override-expire
> refresh_pattern . 1440 50% 4320 override-expire
>
> # ACCESS CONTROLS
> #
>
-----------------------------------------------------------------------------
>
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
> upgrade_http0.9 deny shoutcast
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>

Part 1 of the problem:

You are running a reverse-proxy. All of these initial http_access rules
are forward-proxy security restrictions. In the case of the "allow all" its
attempting to bypass the regular forward-proxy config by turning it into an
open proxy instead.

The reverse proxy config (your "UNIVERSITY SERVICES ENTRIES" settings)
need to be set right here above the forward-proxy config.

> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow all

With the reverse-proxy config in the right place you can turn the basic
security back on by changing that above line to "deny all"

> http_reply_access allow all
>
> icp_access allow all
>
> ##########################################
> ###### UNIVERSITY SERVICES ENTRIES ######
> ##########################################
>
> cache_peer <web1_IP> parent 80 0 no-query originserver name=web1
> cache_peer <cache2_IP> parent 3128 3130 proxy-only default

Part 2 of the problem:
 The above config indicates that cache2 is the primary web server (on port
3128) with web1 as a backup source.

I believe your setup needs cache1 and cache2 in a sibling relationship as
'alternative' backup sources of data to each other. Siblings are checked
before parents but a failure at sibling is not fatal to locating the file.

Also requests received in port 3128 (ie from a sibling) should be denied
forwarding to the sibling.

> acl sites_web1 dstdomain site1.domain.com site2.domain.com
> http_access allow sites_web1
> cache_peer_access web1 allow sites_web1
> cache_peer_access web1 deny all
>
> # ADMINISTRATIVE PARAMETERS
> #
>
-----------------------------------------------------------------------------
>
> shutdown_lifetime 3 second
> httpd_suppress_version_string on
> cache_mgr cachemgr_at_domain.com
>
> # ICP OPTIONS
> #
>
-----------------------------------------------------------------------------
>
> log_icp_queries on
>
> # MISCELLANEOUS
> #
>
-----------------------------------------------------------------------------
>
> memory_pools_limit 1024 MB
>
> # DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
> #
>
-----------------------------------------------------------------------------
>
> coredump_dir /var/spool/squid
>
> -------------------------EO Configuration file -------------------------
>
> Any comments on the configuration would be much appreciated. Thank you
> in advance.
>
> Kind regards,
>
> Nik
Received on Wed Dec 16 2009 - 21:00:54 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 17 2009 - 12:00:02 MST