[squid-users] Where squid deamon is stored?
I don't find squid3 in /etc/init.d. Does anybody know where the deamon script is stored? -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Can cache_peer be localhost?
> client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat forever. Is there a way to configure squid so that anything goes to 3128 will directly go outside of the machine instead of going back to 3128 again, yet still let 3129 be forwarded to the local 3128 in the round-robin fashion? -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Can cache_peer be localhost?
Hi, I have the following configuration. When I access port 3129 and it is localhost's turn in the round-robin, then the access will fail. Is there a way to make it work? $ grep -v '^#' squid.conf|grep -v '^$' acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access allow all http_port 3128 http_port 3129 acl port_3129_acl myportname 3129 cache_peer server1 parent 3128 0 round-robin no-query name=server1_3128 cache_peer_access server1_3128 allow port_3129_acl cache_peer localhost parent 3128 0 round-robin no-query name=localhost_3128 cache_peer_access localhost_3128 allow port_3129_acl coredump_dir /var/spool/squid3 refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern .020%4320 forwarded_for delete -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to combine two proxies into one?
On Thu, Feb 15, 2018 at 3:31 AM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 15/02/18 17:00, Peng Yu wrote: >> Hi, >> >> Here are the conf files for two proxies. The first is a reverse proxy >> (proxied on server1 and server2) and the second is a forward proxy. Is >> there a way to combine the two into one (supporting both 3129 and >> 3128)? Thanks. > > One Squid can accept traffic in multiple modes, just by adding the > appropriate *_port lines for each type/mode of traffic. > > However, if you are talking about the same setup as your last threads > described the first proxy is *not* doing proper / normal reverse-proxy. > From what I understand in those setups you are relying on the traffic > being warped into forward-proxy syntax by the frontend and leaving the > domain routing to the backend - which lacks the appropriate security > checks to handle reverse-proxy needs. > > > In regards to your posted config files. Skipping the lines which are not > actual default configuration you are left with these: > >> >> $ grep -v '^#' squid.conf|grep -v '^$' >> http_port 3129 > > This is not a reverse-proxy. That is declared by the "accel" mode flag > being set - which is not present here. > > >> cache_peer server1 parent 3128 0 round-robin no-query >> cache_peer server2 parent 3128 0 round-robin no-query >> coredump_dir /usr/local/var/cache/squid >> > >> $ grep -v '^#' squid.conf|grep -v '^$' >> http_port 3128 > > This is also not a reverse-proxy. > >> coredump_dir /var/spool/squid3 >> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 > > To combine the above two configurations take the second one and add this > line: > http_port 3129 > > > BUT, since neither of them was actually a reverse-proxy the answer of > how to merge a reverse-proxy and a forward-proxy would be quite different. I finally figure a configure that works. localhost:3128 is forward to both server1:3128 and server2:3128. localhost:3129 directly goes to the external network. Let me know if there is anything wrong with it. Also, this only works for http. For https, localhost:3128 still directly goes to the external network. Do you know how to modify the following configuration to configure for https? acl localnet src 10.0.0.0/8# RFC1918 possible internal network acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl localnet src 192.168.0.0/16# RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3128 http_port 3129 acl port_3128_acl myportname 3128 cache_peer server1 parent 3128 0 round-robin no-query name=proxy3128 cache_peer_access proxy3128 allow port_3128_acl cache_peer server2 parent 3128 0 round-robin no-query name=proxy1_3128 cache_peer_access proxy1_3128 allow port_3128_acl cache_peer_access proxy3128 deny all forwarded_fordelete coredump_dir /usr/local/var/cache/squid refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern .020%4320 -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] How to combine two proxies into one?
Hi, Here are the conf files for two proxies. The first is a reverse proxy (proxied on server1 and server2) and the second is a forward proxy. Is there a way to combine the two into one (supporting both 3129 and 3128)? Thanks. $ grep -v '^#' squid.conf|grep -v '^$' acl localnet src 10.0.0.0/8# RFC1918 possible internal network acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl localnet src 192.168.0.0/16# RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3129 cache_peer server1 parent 3128 0 round-robin no-query cache_peer server2 parent 3128 0 round-robin no-query forwarded_fordelete coredump_dir /usr/local/var/cache/squid refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern .020%4320 $ grep -v '^#' squid.conf|grep -v '^$' acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access allow all http_port 3128 coredump_dir /var/spool/squid3 refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern .020%4320 forwarded_for delete -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?
It is still not difficult to completely comprehend the squid document to see how to modify the example at derpturkey.com for my following scenario. I have a bunch of forward proxy servers whose IPs are ip1 and ip2, ..., ip_n (using port 3128). The reverse proxy will use the round-robin policy to forward each incoming request to one of these forward proxies. Do you mind giving me a minimal working configuration for my scenario? Working means that the configure must be used directly without modification (except domain names or IP addresses). Minimal means that anything not relevant to my scenario should not be included in the configuration. BTW, to make sure make sure my understanding of forward proxy is correct, could you confirm whether the proxies here are forward proxies? https://free-proxy-list.net/ On Sat, Feb 10, 2018 at 12:09 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 11/02/18 06:33, Peng Yu wrote: >> Hi, >> >> I see the following blog about setting up a reverse proxy using squid. >> >> http://derpturkey.com/squid-as-a-reverse-proxy/ >> >> But there seem to be more configurations than what I need. >> >> For example, for the following line, I don't need to restrict the >> access to a specific domain. >> http_port 80 accel defaultsite=www.example.com > > The above does not *restrict*. It sets a default value for Squid to use > when the Host header is missing from HTTP requests. > > >> >> Instead, any access to the IP of the reverse proxy should be OK. In >> this sense, should I just use the following? >> >> http_port 80 accel > > You can if you want to. But be aware that any clients which omit the > Host header in their requests will be rejected by the proxy with an > error page. > > >> >> Also, let's say I have two web servers server1 and server2 to be >> proxied. Since I don't use a domain, I am not sure how Step 3 should >> be adjusted. > > By using other types of ACLs in an arrangement which meets your desired > mapping. > > Please read the FAQ about how ACLs work. That includes a list of > different ACLs. > <http://wiki.squid-cache.org/SquidFaq/SquidAcl> > > > So far as you have stated that would be "cache_peer ... allow all". > > Which is a very bad idea... > > Be aware that the domain based config is itself a security layer to > prevent attackers and certain type of DoS reaching through the proxy to > attack the peers directly with bogus traffic. Using other types of ACLs, > particularly ones leading to "no restriction" like you describe make > your proxy and the origins all at risk for denial of service attacks. > > > What is your reason for wanting "no restrictions"? > it could be that you actually need something very different to what you > are asking about. > > >> >> I also do not want any restrictions to my reverse proxy. But I am not >> sure how Step 4 should be simplified. >> >> Could anybody please let me know how to configure squid reverse proxy >> in my simplified scenario? > > That tutorial is describing the simplest scenario possible with a > multiple peers in a reverse-proxy. > > Yours is actually the more complicated scenario since you apparently > need some unusual ACL configuration. > > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?
> What is your reason for wanting "no restrictions"? The proxied servers are behind a firewall already, which protect them from any unwanted access. Is this reason strong enough to have no restrictions set? -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] How to set up a reverse proxy using squid for a simplified scenario?
Hi, I see the following blog about setting up a reverse proxy using squid. http://derpturkey.com/squid-as-a-reverse-proxy/ But there seem to be more configurations than what I need. For example, for the following line, I don't need to restrict the access to a specific domain. http_port 80 accel defaultsite=www.example.com Instead, any access to the IP of the reverse proxy should be OK. In this sense, should I just use the following? http_port 80 accel Also, let's say I have two web servers server1 and server2 to be proxied. Since I don't use a domain, I am not sure how Step 3 should be adjusted. I also do not want any restrictions to my reverse proxy. But I am not sure how Step 4 should be simplified. Could anybody please let me know how to configure squid reverse proxy in my simplified scenario? -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Can reverse_proxy be set as a rotating proxy?
Hi, I am not sure what the policy of reverse proxy is in squid. Using the notation in this figure, can squid on "proxy" be set to use "web servers" one after another for each request (i.e., rotating)? Thanks. https://upload.wikimedia.org/wikipedia/commons/6/67/Reverse_proxy_h2g2bob.svg -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] How to hide client info?
Hi, I use squid to set a proxy. But the following output shows my local ip address besides the squid proxy ip. Is there a way to let httpbin.org only be aware of the squid_proxy but not my local ip? $ http_proxy=squid_proxy:3128 wget -qO- http://httpbin.org/get { "args": {}, "headers": { "Accept": "*/*", "Accept-Encoding": "identity", "Cache-Control": "max-age=259200", "Connection": "close", "Host": "httpbin.org", "User-Agent": "Wget/1.16.3 (darwin13.4.0)" }, "origin": ", ", "url": "http://httpbin.org/get; } -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users