Re: [squid-users] Help with accelerated site from Amos Jeffries on 2010-03-28 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 29 Mar 2010 00:22:58 +0000

On Mon, 29 Mar 2010 00:39:40 +0100, "Adam_at_Gmail" <adbasque_at_googlemail.com>
wrote:
> Hello Amos,
> Thanks for your reply and suggestion
>
> I have just done what you suggested and I still couldn't access the
> internet
> from my local network
> I completely removed "our_network" and the relevant http_access etc..
> But couldn't access the internet
>

Part #1 of my sentence (cleaning out config garbage) completed.

"You need to remove the "our_network" ACL completely"

Part #2 of my sentence (how to enable access) apparently ignored.

... " and adjust the "localnet" ACL as per the default config
instructions so that it only specifies your internal LAN IP address
range(s)."

Instead you went on and made up your own approach which complicates your
setup A LOT and now requires you to juggle many other software
configurations as well to make them all match the fancy squid.conf ...

>
> After that I did the following
>
> added and http_port 8080
> to the config and up my clients could access the internet and I can
still
> access my backend server from the internet
> So normally everything is working fine

100% sure about that?

What is your public website name?

>
> I am not sure it's being wise to make squid listen on more than one
port,

... not sure it's _wise_ ?!

It's REQUIRED for safe security to run a different port for each type of
input the proxy receives. When doing so firewall and squid.conf rules
become very easy to understand and get correct without causing security
breaches by accidental misconfiguration.

What we have been trying to get you to do is properly setup "http_port 80
accel vhost" to receive reverse-proxy mode traffic (public website) and
"http_port 3128" to receive forward-proxy mode traffic (your LAN).

> I'll keep a closer eye on it and see what will happen in the next day or

> two.
> Anyway this for the benefit of anybody who find themselves in the same
or
> similar situation
> if you're forced to use http_port 3128 vhost (in order to access your
> sites
> from outside i.e Internet)
> This is if your sites are on the same webserver on a virtual host

Nobody is ever forced to do this by Squid. You are no exception.

Amos
Received on Mon Mar 29 2010 - 00:23:02 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 29 2010 - 12:00:06 MDT