Re: [squid-users] Need help with Squid reverse proxy with mirrored parents please!

From: Alex Stahl <testcore_at_gmail.com>
Date: Wed, 27 Mar 2013 17:26:07 -0700

Thanks for the suggestions... although I can't tell if they work just
yet. Squid version is 3.1.10; I'm restricted in my choice here and
unfortunately cannot upgrade.

I do think the crux of my issue lies in exactly your point regarding
ACLs. Per your advice, and the write-up at the link I referenced, the
conf should have ACLs upon which Squid can select which origin server
to ask for a given object. In the example, they switch on either
cache_peer_domain or urlpath_regex. My issue is that I want to switch
on the presence (or lack thereof) of an object on a web server.

Here's some pseudocode to express this
1. Request object from local peer
2a. If local peer has object, return that
2b. If local peer does not have object, request object from remote peer
3a. If remote peer has object, return that
3b. If remote peer does not have object, now return a 404

Currently I get the 404 after step #2b. So how would I create ACLs
that express this?

To provide a little more insight, this is for a provisioning system
where a local server contains a subset of the contents of a yum repo
(i.e. the local peer). The full set of contents of the yum repo can
be found on the remote peer. The local server is used to stand up a
bare-bones install on its clients.

Thanks in advance,
Alex

On Wed, Mar 27, 2013 at 4:59 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 28/03/2013 12:28 p.m., Alex Stahl wrote:
>>
>> Hiya Squid Users - So I'm trying to configure Squid as a reverse
>> proxy, listening on port 80, in front of two web servers. One web
>> server runs on the localhost and listens on port 81 and contains a
>> subset of all website content. Then the second web server is a remote
>> box, listening on port 80, with a full set of all content.
>>
>> What I'd like Squid to do is act as a single front-end for these
>> servers. A request comes in, and if it's a cache miss, it should
>> first ask the localhost web server if it can satisfy the request. If
>> so, it serves it up. If not, it should forward it on to the second
>> web server.
>
>
> Which squid vesion? the presence or absence of vhost settings depends on it.
>
>
>> Following the guide here:
>> http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers,
>> I've come up with the following config:
>>
>> http_port 80 accel defaultsite=localhost
>
>
> Problem #1 Use the public FQDN name in defaultsite=.
> The above config will make some URLs handled by Squid all be
> http://localhost/... which is NOT a good thing when those URLs are sent out
> to the client.
>
>
>
>> cache_peer localhost parent 81 0 originserver name=local
>> cache_peer example.com parent 80 0 originserver name=remote
>> acl request dstdomain localhost
>> cache_peer_access local allow request
>> cache_peer_access remote allow request
>>
>> (I have other ACLs unrelated to this config, such as allowing http
>> requests on port 80).
>>
>> The problem I run into is that a miss on the localhost web server (an
>> HTTP 404) isn't properly forwarded on to the remote server - squid
>> only ever tries a single parent. If I remove the localhost peer, the
>> request is properly forwarded, and I get back the expected HTTP 200.
>>
>> What am I missing in my config to make it do that?
>
>
> 404 means "does not exist". How is Squid to know that the localhost peer was
> lying and some other peer does have the object?
>
> * Fix the "defaultsite=localhost" problem
> * Add "vhost" to your http_port line to make Squid aware of what domains
> requests are for.
> * alter your "request" ACL into different ACLs which match against requests
> destined to each server. Such that only the server where the request can
> come from is contacted.
>
> Amos
Received on Thu Mar 28 2013 - 00:26:13 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 28 2013 - 12:00:08 MDT