Re: [squid-users] Configuration - Reverse Proxy using internal DNS

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 12 Jan 2011 23:36:28 +1300

On 12/01/11 19:12, Tim Hill wrote:
> Hi
> I have been reading through the configuration examples and guides for
> the last week since taking the very rash decision to upgrade Squid to
> version 3 while building a replacement router/firewall box.
>
> The current machine runs happily under squid 2.4 - using squid to
> provide routing to the internal web servers.
>
> What I am unable to find is a config for Squid 3 that replicates the way
> I have been running squid.
>
> External connections to the websites are collected in squid, which then
> uses the host header to internal DNS where the web server is. The web
> servers are all on private IP addresses and only accessible from the
> outside world via squid.
>
>
> The network looks something like this.
>
> Internet => Squid ---- Internal DNS (private)
> |
> web01 <====> web02
>
> I have been unable to figure out a configuration that works in this manner.
> I'd like to also control access so that only websites that are local IP
> addresses in the internal DNS are proxied.
>
> At the moment I cannot see a way of getting squid to ask a DNS server
> for host location in reverse proxy mode, nor of setting up a subnet as
> allowed addresses to proxy ( eg 192.168.1.0/24 )
>
> The reasons behind wanting to work this way is to remove the need for
> editing the squid config every time a new website is enabled or the
> server the site is on is changed. When a change is made, all that needs
> updating is the internal private DNS server.
>

What you are seeking is:

  acl Servers dst ...
  http_access allow Servers
  always_direct allow Servers

However, note that Squid is now dependent on DNS results and has much
reduced DoS protection against garbage requests.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Wed Jan 12 2011 - 10:36:44 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 12 2011 - 12:00:02 MST