Re: [squid-users] Access Denied using Squid as reverse proxy

From: Amos Jeffries <>
Date: Thu, 24 Oct 2013 19:48:46 +1300

On 24/10/2013 3:17 p.m., juan_fla wrote:
> I'm trying to set up squid as reverse proxy/cache for a mediawiki website. At
> this time, http requests to the website give me an Access denied message.
> Looks like I need to map requests to port 80 somehow to the port 3129 (where
> Squid is listening right now) but I don't understand how.
Bad idea. Squid as reverse-proxy should be listening directly on port 80
and handlnig the traffic as it arrives there.

The wiki service should ideally be listening on port 80 on a
different/private/localhost IP somewhere else. Squid gets configured
with a cache_peer directive pointing at the wiki web server listening
port. Public DNS gets configured pointing all visitor at Squid.

Details can be found in this example config along with instructions on
proper testing of reverse-proxies:

> Squid 3.3.8, FreeBSD 6.2.
> Web server is listening to port 3130. Squid is listening on 3129.

Ideally both should be listening on port 80, just different IPs.

However, IF you really need the web server to be listening on a
different port you can set the cache_peer in the above mentioned config
rules to point at any port you like. Just be extra careful that the web
server is configured to ensure the scripts it runs only generate URLs with:
1) relative URLs whenever possible ... so the client softwareuses its
original URL domain:port details for followup requests
2) omitted port number when domain is unavoidable ... implying default
port 80 so it goes back to Squid.
3) omitted "scheme:" ... so http://and https:// can be determined by the
frontend Squid without causing trouble.

  As a backup you can have Squid listening on port 3130 *as well*. But
if that is possible there is usually not much reason for the web server
to avoid port 80 is there?

> Trying to browse the homepage ( - not the real domain)
> results in:
> The requested URL could not be retrieved
> The following error was encountered while trying to retrieve the URL:
> http://localhost:3129/index.html
> Access Denied.
> Access control configuration prevents your request from being allowed at
> this time. Please contact your service provider if you feel this is
> incorrect.
> Your cache administrator is webmaster.
> However, adding the Squid port number does work - the response is the
> homepage ( )

BUT Squid is not being asked to fetch website " " ... it
is being asked to fetch website " localhost:3129 "

> Squid.conf:
> http_port 3129 accel

http_port 80 accel

> cache_peer parent 3130 0 no-query originserver name=myAccel
> login=PASS
> acl our_sites dstdomain
> http_access allow our_sites
> cache_peer_access myAccel allow our_sites
> cache_peer_access myAccel deny all
> cache_dir ufs /home/mydomain/website/webroot/cache/squid 100 16 256
> coredump_dir /home/mydomain/opt/squid/var/cache/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> visible_hostname
> I've tried adding references to port 80 but so far nothing has worked.
> I will sincerely appreciate any suggestions. We have had the website down
> for two months now trying to get Squid working :(

Three things:

* make Squid listen on port 80

* run your tests with *exactly* the same URLs the visitors will be
requesting ...
  - find out where that "localhost:3129" is coming from and fix it. It
is something between you test browser and Squid.

* configure DNS to point at the Squid proxy IP address

Received on Thu Oct 24 2013 - 06:48:53 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 24 2013 - 12:00:07 MDT