On Tue, 28 Sep 2010 12:15:17 -0700 (PDT), Todd B <toddtheami_at_yahoo.com>
wrote:
> Having an issue with an inherited install of squid 2.7 running on
Windows,
> acting as a reverse proxy to an IIS box with multiple sites on it. The
> squid is
>
> in our DMZ (pokes for 8085 and 8086 are in place), IIS is internal. The
> problem
>
> I'm seeing is that squid is returning the content on port 8085
irrelevant
> of
> whether I'm coming in on 8085 or 8086. I've spent a full day reading up
> on
> squid and searching around for more info, and have come up with squat.
> Any
> suggestions on what I've done wrong (probably with the cache_peer) would
> be
> welcome! So, thanks in advance for helping out!
>
>
> squid.conf is below.
>
>
> -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
> #NETWORK
> http_port 8085 transparent
> http_port 8086 transparent
Well, for starters, the above has not been right for reverse-proxy since
2.5.
Reverse proxy with multiple domains uses these:
http_port 8085 accel vhost
You *may* want the defaultsite=example.com option as well to fix HTTP/1.0
clients which don't send Host: headers. In which case change example.com to
the FQDN of the preferred public website they are to see.
>
> #Cache_MEM
> memory_replacement_policy lru
> cache_mem 512 MB
> maximum_object_size_in_memory 4096 kb
>
> #Cache_DISK
> memory_replacement_policy lru
> cache_dir ufs c:/squid/var/cache 512 16 256
> maximum_object_size 8192 KB
>
> #Cache tuning"ignore-no-cache" ignores the no cache header from
AutoUpdate
> refresh_pattern . 90 100% 180 reload-into-ims ignore-no-cache
> #refresh_pattern . 90 100% 180 ignore-reload
>
> #LOGGING
> cache_store_log none
> cache_log c:/squid/var/logs/cachelog.txt
> access_log c:/squid/var/logs/access.txt squid
>
> #ADMINISTRATIVE
> #visible_hostname <ipaddress of squid system> <FQDN alias> <short name>
> visible_hostname SQUID.INTERNAL.IP SQUID.EXTERNAL.HOSTNAME
> SQUID.WINDOWS.HOSTNAME
Strange looking FQDN, but okay.
> unique_hostname SQUID.WINDOWS.HOSTNAME
>
> #OPTIONS FOR AUTHENTICATION
> acl all src 0.0.0.0/0.0.0.0
Replace the above with:
acl all src all
> acl protocol proto HTTP
> acl safe_ports port 8085
> acl safe_ports port 8086
> acl getonly method GET
> http_access allow all
Not good.
http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
>
> #Neighbor select Algorithm
> #cache_peer <address of IIS system> <type> <listening port> <icp_port>
> no-query
> originserver name=Accesslist
> cache_peer IIS.SERVER.IP parent 8085 0 no-query originserver
> name=MyAccessList
> cache_peer IIS.SERVER.IP parent 8086 0 no-query originserver
> name=MyAccessList2
> cache_peer_access MyAccessList allow all
> cache_peer_access MyAccessList2 allow all
The above allows all requests to be sent to the backend "MyAccessList"
which is your problem. If that machine goes offline or unavailable
everything will go to "MyAccessList2" instead.
Have a read through
http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers
The rest of your cache_peer_access lines never got tested, the correct
base reverse-proxy controls obsolete several of their attempted actions, so
re-asses whether you need them after fixing the above bits.
Amos
Received on Tue Sep 28 2010 - 22:28:23 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 29 2010 - 12:00:04 MDT