On 01.03.2012 03:35, kadvar wrote:
> Hi,
> I have set up squid in reverse proxy (http-accelerator mode) on a
> machine
> along with the web server. the web server listens on 127.0.0.1 while
> squid
> listens on 192.168.124.41. There is another web server
> 192.168.124.40. Squid
> has been configured with urlpath_regex to redirect any incoming
> requests
> with "images" in the url to 192.168.124.40.
>
> |---> webserver1 (127.0.0.1)
> squid (192.168.124.41) --- | |
> |---> webserver2
> (192.168.124.40)
>
> Now according to my config, pointing my browser to
> 192.168.124.41/images.html should lead to 192.168.124.40/images.html.
> The
> page loads up but the embedded images do not show up. A tail -f on
> access.log shows
>
> 1330494519.583 5 192.168.124.41 TCP_REFRESH_UNMODIFIED/304 357
> GET
> http://192.168.124.41/images.html - FIRST_UP_PARENT/server2 -
> 1330494519.814 3 192.168.124.41 TCP_MISS/404 582 GET
> http://192.168.124.41/myimage.jpg - FIRST_UP_PARENT/server1 text/html
>
NOTE for all the log_fqdn addicts: This is one of the major reasons we
moved to IP-address display in these logs recently. It is far easier to
identify these problem server, especially when it each one has multiple
IPs squid could be accessing.
> images.html has an image embedded in it called myimage.jpg. Squid
> does well
> to redirect incoming requests for images.html to server2 but it is
> still
> looking for myimage.jpg on server1. Why is this happening?
>
> Thanks,
> Adi
>
> I have reproduced squid.conf below
>
> ########################squid.conf####################
> ############### http accel configuration ###########
>
> #let squid listen on the public ip addr port 80 and apache on
> localhost 80
> http_port 192.168.124.41:80 accel defaultsite=192.168.124.41
You set the default Host: header value to be an raw-IP address. Squid
will attempt to fetch from itself, looping back, and try to fetch from
itself...
This is default *site*. As in your companies public FQDN, or the
default website name you want broken clients to visit if the omit a
domain name from their URL.
On top of this Squid is not told to pay attention to the Host header
(vhost option), so the reverse-proxy mode traffic URL has no domain name
in it Squid uses that IP address.
>
> #192.168.124.41/images has to be redirected to another web server
> acl images urlpath_regex images
Problem #1: everything with the letters "images" in the URL path gets
matched by this.
For examples:
http://example.com/images/haha.html
http://example.com/boo/?images
http://example.com/scripts/images.js
http://example.com/videos/images.avi
http://google.com/images?q=boo
http://192.168.124.41/images.html
Careful with regex.
>
> #now that images has been found deny the request being sent to server
> 1
> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=server1
> cache_peer_access server1 deny images
PROBLEM #2: "myimage.jpg" does not contain an "s". The 'images' ACL
definition does not prevent it going to this peer.
>
> #now send the image requests to server 2, first create peer
> cache_peer 192.168.124.40 parent 80 0 no-query originserver
> name=server2
> #now send image requests to peer
> cache_peer_access server2 allow images
> cache_peer_access server2 deny all
Problem #3: in all of this I see no ACL or http_access permitting
access to the domain for reverse-proxy requests.
There is only forward-proxy http_access security configurations
limiting access to LAN spaces. If you want this reverse-proxied website
to be visible outside the LAN you will need to add permission for
anybody to access its domain name (dstdomain) before your
forward-proxyconfig (ie at the top with the cache_peer_access lines).
Amos
Received on Wed Feb 29 2012 - 21:46:04 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 12:00:05 MST
