Re: [squid-users] RE: EXTERNAL: [squid-users] NEWBIE Q: httpd_accel_single_host?

On Wed, 11 Aug 2010 15:05:32 -0400, "AJ Weber" <aweber_at_comcast.net> wrote:
> Sorry it's taken me so long to test this out (a week...).
>
> I have it working with some very preliminary tests, but I had to add the

> "allow-direct" to the http_port line in addition to the example on the
> Wiki
> for the BasicAccelerator.
>
> Is this correct? Is my config "special" and/or does this depend on the
> web/appserver being connected to, or should this be added to the wiki
> (i.e.
> documentation error)?
>
> Is allow-direct just a security thing, or am I somehow disabling some of
> the
> Squid goodness?

It's a security thing. DIRECT access is blocked for reverse-proxy to
prevent Host: header games (CVE-2009-0801) and remove the need for DNS
resolution delays. It also helps prevent Squid from DNS-resolving itself as
the destination host of the domain and looping.

The basic config example contains a cache_peer line pointing specifically
at the back-end website host. With cache_peer_access rules using a
dstdomain ACL to allow only that hosts domains. Those lines should be
routing the relevant requests to that host without needing DIRECT access or
DNS in any way.

Amos

> ----- Original Message -----
> From: "Amos Jeffries" <squid3_at_treenet.co.nz>
> To: <squid-users_at_squid-cache.org>
> Sent: Wednesday, August 04, 2010 7:55 PM
> Subject: Re: [squid-users] RE: EXTERNAL: [squid-users] NEWBIE Q:
> httpd_accel_single_host?
>
>
>>> -----Original Message-----
>>> From: AJ Weber [mailto:aweber_at_comcast.net]
>>> Sent: Wednesday, August 04, 2010 2:07 PM
>>> To: squid-users_at_squid-cache.org
>>> Subject: EXTERNAL: [squid-users] NEWBIE Q: httpd_accel_single_host?
>>>
>>> Does anyone have any config examples, tips or FAQ about simulating the
>>> "old"
>>> (pre 2.6, at least) single-host acceleration (i.e. as was done with
the
>>> directive in the subject)?
>>>
>>> I have Duane Wessels' O'Reilly book here, and am trying to build a
very
>>> specific server accelerator for across a slow, WAN link, but just for
a
>>> single back-end host. (Chapter 15, pg 307, if you're now
>> following-along
>>> ;) )
>>>
>>
>> On Wed, 04 Aug 2010 16:53:50 -0400, "Bucci, David G"
>> <david.g.bucci_at_lmco.com> wrote:
>>> I'm a novice (and maybe I shouldn't speak out of turn), but I wonder
why
>>> you can't simply do sstandard reverse proxying, e.g., name your proxy
>>> server "original.org" in DNS, rename your slow web server
"backend.org",
>>> and do a simple accel config:
>>>
>>
>> Indeed. Reverse-proxy is what we call it nowdays.
>>
>> The updated version of that single-host option (pg *308*) can be found
>> here:
>> http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
>>
>> Chapter 15, pg 307 was about the multiple-host options AFAICT.
>> That can be found here:
>> http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting
>>
>> Amos
>>
Received on Thu Aug 12 2010 - 03:17:11 MDT