Re: [squid-users] Help with accelerated site

Hi Hassan,

If I had made a long email before is because somebody asked me to post some
of my log files
some of my config file, some of my iptables and explain what I was trying to
achieve so they can see.
There was one email where I tried to express my frustration it was not
directed to anybody in particular.

Anyway, if you read my posts you'd see that I have tested this with and
without the vhost
If I use http_port 3128 vhost I can access my websites internally and
externally right?
If I use it without the vhost my network clients will have access to the
internet through the proxy
but nobody can access the websites from outside I get the error

The requested URL could not be retrieved
That's all I asked if there's a way around this or is it one or the other
situation?
Regards
Adam
----- Original Message -----
From: "Nyamul Hassan" <mnhassan_at_usa.net>
To: "Squid Users" <squid-users_at_squid-cache.org>
Sent: Sunday, March 28, 2010 11:09 PM
Subject: Re: [squid-users] Help with accelerated site

See what happened? While you answered to the parts where I complained
about your mailing-list behaviour, you failed to try out what was
suggested, and report back with the logs.

All the other "criticisms" that you make, is making the emails
unnecessarily big. That's the main complain from myself (and probably
others too), so please stop all the other messages.

Did you make the change back to without vhost? Where are you stuck now?

The way I see it, without using vhost, you have:
1. A reverse proxy where out-of-network requests are properly
forwarded to your not-in-same-box Web Servers
2. A forward proxy, where all your internal network customers can
access the Internet using Squid as their proxy.
3. However, the "internal" requests don't work for only domains
"hosted" in your Web Servers as in #1.

Please mention if this is correct. Or specify where it is wrong.

Regards
HASSAN

On Mon, Mar 29, 2010 at 3:49 AM, Adam_at_Gmail <adbasque_at_googlemail.com> wrote:
>
> Hi Hassan,
>
>
>
> Did you read the page:
> http://www.squid-cache.org/Versions/v2/2.7/cfgman/http_port.html
>
>
> Yes I did read it and I read a great deal more and I have been on many
> forums, and I have been through the mailing list and and...
> Yes it says it clearly but what it doesn't say clearly is whether your
> clients can have access to the internet and let people access your
> websites via a proxy
> that's what I was asking.
>
>
>
>
> Under "vhost", it clearly says:
> Accelerator mode using Host header for virtual domain support. Implies
> accel.
>
> So, if you want Squid listener on 3128 to be acting as "forward
> proxy", then don't use "vhost". When your internal users are hitting
> squid for regular internet usage, every port 80 website is
> automatically proxied, including your internal ones.
>
> If it is not working, then there must be a relevant line in the
> "access.log" or "cache.log" which will tell you what happened to that
> request.
>
>
> You are configuring the same box for both "forward" and "reverse"
> proxy, which can be tricky. If you are indeed a "developer" (and no,
> writing HTML does not count), then you need to use your programming
> hat a bit more when you're trying to even configure open source
> software.
>
> Did you read:
> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
> It explains a lot of "concepts". Please go through them, and try to
> understand how all this is supposed to work.
>
>
> Yes I have read this too
>
> Please do not "bombard" the list with email after email without
> getting a response first. Not nice.
>
> Most irritating is when someone:
> 1. appears to not have "read the manual" with great care (read it)
> 2. appears to have not "searched" the internet for this problem (Done it)
> 3. starts to blame the software because they can't make it work (yes
> because some softwares are badly written)
> 4. starts to "whine" on the mailing list, and sends emails one after (I
> thought that was where you can get help, No?)
> another without waiting for an acceptable time (at least 48 hours) for (I
> oly did it once, because I forgot something or I had something else to
> add)
> someone to respond
>
>
> Regards
> HASSAN
> I don't understand why is it that you never help oin this mailing list the
> only time we see you is when somebody complains
> then suddenly you popup from somewhere all the time you keep silent, you
> never help with solutions or suggestions.
> Yes Squid whether you like it or not is by far not the easiest piece of
> software to use or to configure it doesn't mean it is brilliant
> It's difficult and I know it can be made to be a lot easier et user
> friendly without having to go a great length of time to understand
> it's logic, not because you used it for a long time or you are somehow
> involved that you think everybody should open the box and get it to work
> If that was the case, why then we have the mailing list?? If that was as
> simple as you're trying to make out.
>
> Please if you the only time you show up is to tell me what and I mustn't
> do then spare me your moral lectures on how I should behave.
>
> If this mailing list is "yours" and I am irritating you then say so I will
> leave and leave you in peace.
> Other than that please keep away from me
> This is the second time and it's ones too many.
>
> Regards
> Adam
>
>
> On Mon, Mar 29, 2010 at 1:55 AM, Adam_at_Gmail <adbasque_at_googlemail.com>
> wrote:
>>
>> Hi Again,
>> Well my local network can't access the Internet since I had to put the
>> vhost option on the http_port 3128
>> They can access my sites internally not a problem, but the problem is
>> they can no longer access the internet
>> I have kept the original config
>> The only thing I have changed was adding the acceleration mode for my
>> backend server (sites) and add the vhost option after
>> the http_port 3128
>> like this
>> http_port 3128 vhost
>>
>> I hope that makes more sense
>> Regards
>> Adam
>> ----- Original Message ----- From: "Ron Wheeler"
>> <rwheeler_at_artifact-software.com>
>> To: "Adam_at_Gmail" <adbasque_at_googlemail.com>; <squid-users_at_squid-cache.org>
>> Sent: Sunday, March 28, 2010 8:40 PM
>> Subject: Re: [squid-users] Help with accelerated site
>>
>>
>>> Are you trying to build an accellerator for your site or a proxy.
>>>
>>> Pick one and get it to work.
>>>
>>> The config that I sent you is an accelerator.
>>>
>>> I would suggest to stick with the accelerator and let your inside guys
>>> hit your server on port 80.
>>> 1) Put your backend server back on port 80
>>>
>>> http_port 80 accel vhost defaultsite=www.mysite.org
>>> cache_peer 192.168.1.3 parent 80 .... whatever I had in my config should
>>> be fine once you change my 81 to 80. I needed to use 81 since I had both
>>> apache and squid on the same machine. You do not have this problem.
>>>
>>>
>>> This way your inside guys are still hitting your backend the old
>>> fashioned way and your clients are coming through your front door with a
>>> caching proxy.
>>>
>>> Get rid of the acl stuff until you get it going and then decide how to
>>> block people.
>>> Check my acl settings but I do not recall doing anything to control
>>> access.
>>>
>>>
>>> KISS
>>>
>>> Good luck
>>> Ron
>>>
>>>
>>>
>>>
>>> Adam_at_Gmail wrote:
>>>>
>>>> Hi Amos,
>>>> Thanks for your time
>>>> at the moment my config is as follow it's working as far is the
>>>> acceleration mode is concerned
>>>>
>>>> http_port 80 accel vhost defaultsite=www.mysite.org
>>>>
>>>> cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main
>>>> acl out_sites dstdomain www.mysite.org www.mysite.com www.mysite.net
>>>>
>>>> http_access allow our_sites
>>>> cache_peer_access main allow our_sites
>>>> cache_peer_access deny all
>>>>
>>>> I can access my 3 websites from inside my network and from the
>>>> "Internet" no problems
>>>> apart for it being a little slower than before, but it's working
>>>>
>>>> The problem I have right now is None of clients can access the internet
>>>> The error as before "The requested URL could not be retrieved"
>>>>
>>>> here is the other part of config
>>>>
>>>> acl manager proto cache object
>>>> acl localhost src 127.0.0.1/32
>>>> acl to_localhost dst 127.0.0.0/8.0.0.0/32
>>>> acl localnet src 10.0.0.0/8
>>>> acl localnet src 172.16.0.0/12
>>>> acl our_network 192.168.1.0/24
>>>>
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>>
>>>> http_access allow localnet
>>>> http_access deny all
>>>>
>>>> http_access allow our_network
>>>> http_access deny all
>>>>
>>>> htcp_access allow localnet
>>>> htcp_access deny all
>>>> icp_access allow localnet
>>>> icp_access deny all
>>>>
>>>> http_port 3128 vhost (note if I remove the vhost I won't access my
>>>> websites) if I leave it I can't access the internet from my local
>>>> network)
>>>>
>>>> No "Bind" error at this time
>>>>
>>>>
>>>>
>>>>
>>>> I hope that would help see if there's anything wrong with the
>>>> configuration
>>>>
>>>> Regards
>>>> Adam
>>>>
>>>>
>>>>
>>>> ----- Original Message ----- From: "Amos Jeffries"
>>>> <squid3_at_treenet.co.nz>
>>>> To: <squid-users_at_squid-cache.org>
>>>> Sent: Sunday, March 28, 2010 8:06 AM
>>>> Subject: Re: [squid-users] Help with accelerated site
>>>>
>>>>
>>>>> Adam_at_Gmail wrote:
>>>>>>
>>>>>> Hi Ron,
>>>>>> Thanks for your reply and thanks for your time
>>>>>>
>>>>>> This is perhaps the 10th time I uninstalled it and reinstalled it
>>>>>> And this is the very first time I could access my websites
>>>>>> internally, externally nothing yet, I am still getting the error
>>>>>
>>>>> This error:
>>>>>
>>>>>> The following error was encountered while trying to retrieve the URL:
>>>>>> /
>>>>>>
>>>>>
>>>>> ... appearing in a reverse-proxy setup means Squid received a
>>>>> reverse-proxy/accelerated request intended for a web server on a port
>>>>> without "accel" flag configured.
>>>>>
>>>>>
>>>>> Please read all my notes below right to the end of the email before
>>>>> changing anything. I'm commenting on each fine detail and what it
>>>>> means...
>>>>>
>>>>>>
>>>>>> My clients can all access the internet, Yes I am sure that there's a
>>>>>> misconfiguration in my config file but I followed every tutorial
>>>>>>
>>>>>> trying desperately to get something up, after a while you're
>>>>>> saturated and very tired, bouncing from on issue to another
>>>>>>
>>>>>
>>>>> ... so, we need you to stop bouncing and concentrate on one issue at a
>>>>> time. When we are satisfied that you are understanding that one move
>>>>> on ...
>>>>>
>>>>>> I checked and triple checked my iptables rules everything looks fine
>>>>>> so far
>>>>>>
>>>>>> For instance, my backend server is listening right now on port 81,
>>>>>> why did I put it on port 81 because I was getting
>>>>>>
>>>>>> Cannot bind to .... in the log file
>>>>>>
>>>>>> so I changed it to 81 and I am getting the same error, there's
>>>>>> absolutely nothing else in my entire network that is using that port
>>>>>>
>>>>>> So why can't it bind to port 81? You see the type of things that can
>>>>>> drive you through the wall
>>>>>>
>>>>>> at the moment I have only three machines
>>>>>>
>>>>>> A is Running the Proxy and the Router (IPTABLES)
>>>>>>
>>>>>> B is the back end server
>>>>>>
>>>>>> C is the DNS/DHCP servers
>>>>>>
>>>>>> And only the backend server that is currently listening on port 81
>>>>>> and before that it was listening on port 80
>>>>>>
>>>>>> no matter which port I put in my config I get the "Cannot bind to
>>>>>> ...." in the log file
>>>>>
>>>>> ... from the below I'd guess you are changing both the Squid http_port
>>>>> and the apache listening "Port" entries at the same time in your
>>>>> tests.
>>>>>
>>>>>
>>>>>>
>>>>>> here is a bit of my config
>>>>>>
>>>>>> *********************************************************************
>>>>>>
>>>>>> http_port 192.168.1.3:81 accel parent vhost
>>>>>> defaultsite=www.mysite.org
>>>>>
>>>>> The tutorial and advice so far as I've seen has been to place Squid
>>>>> listening on "http_port 80 accel vhost" and apache listening on "Port
>>>>> 81".
>>>>>
>>>>> Okay stop here. Check that. Make it so. Restart both software if
>>>>> needed.
>>>>>
>>>>> If another "bind" error comes up during the restart let us know right
>>>>> now.
>>>>>
>>>>>
>>>>> Continue reading...
>>>>>
>>>>>>
>>>>>> cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main
>>>>>>
>>>>>
>>>>> Those two lines are (or 'were' right?) a loop.
>>>>>
>>>>> Squid listening on 192.168.1.3 port 81 is to fetch requests from
>>>>> source server listening on 192.168.1.3 port 81.
>>>>>
>>>>> What you should have after my suggested change above is:
>>>>> Squid listening on port 80 fetched from server on port 81.
>>>>>
>>>>>
>>>>> Test this:
>>>>> fetch a request for http://192.168.1.3:81/
>>>>> EXPECTED: results in the apache "it works", or your <VirtualHost *>
>>>>> site.
>>>>>
>>>>> fetch a request for http://192.168.1.3/
>>>>>
>>>>> EXPECTED: results in the apache "it works", or your <VirtualHost*>
>>>>> site. Received through Squid.
>>>>>
>>>>>
>>>>> (using wget, curl, or squidclient to display the response errors the
>>>>> second fetch there should contains Via: header which is not present in
>>>>> the first fetch.)
>>>>>
>>>>>
>>>>> IF (and only if) there was no "bind" error, and the headers check
>>>>> above fails to show a Via: header properly. We work on that in next
>>>>> email...
>>>>>
>>>>>
>>>>>> acl dstdomain our_sites dstdomain www.mysite1.org www.mysite2.com
>>>>>> www.mysite3.net
>>>>>>
>>>>>> http_allow_access main allow our_sites
>>>>>>
>>>>>> http_peer_access main deny all
>>>>>>
>>>>>> At the moment all of these sites are running on the same server
>>>>>> (virtualhost)
>>>>>>
>>>>>> The only thing I am not sure of is probably the cache_peer directive
>>>>>>
>>>>>> "cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main"
>>>>>>
>>>>>> If it's wrong then I don't know what to put in there
>>>>>
>>>>> The IP address and port of your Apache server.
>>>>>
>>>>>
>>>>> Amos
>>>>> --
>>>>> Please be using
>>>>> Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
>>>>> Current Beta Squid 3.1.0.18
>>>>
>>>>
>>>
>>
>>
>
>
Received on Sun Mar 28 2010 - 22:28:03 MDT