Re: [squid-users] reverse proxy problem
On 28/04/2012 9:38 a.m., Bruce Lysik wrote: Hi guys, Running latest 3.1 in a reverse proxy mode. 3 beefy servers with 96GB of ram. Seeing an odd problem: Origin -> customer, equals fast speeds. (Tested by curling from a desktop to origin.) Origin -> squid, equals fast speeds. (Tested by running curl on the squid server to the origin.) Squid cache hit -> customer, equals fast speed. (Seen in browser.) Squid cache miss -> customer, insanely slow. 36kB/sec, when origin to customer direct is like 50MB/sec. Any ideas on what to look at here? It's so broken it feels like a misconfiguration somewhere. These are on RHEL6u2, 96GB ram, 1.69TB RAID5 ext4 partition for disk cache, 4gb of bonded network interface. Machines are behind a load balancer operating in DSR mode. The usual stuff is: * disk I/O loading. Squid still cycles most objects through the disks when caching and RAID does horrible things to the write cycle speed. * forwarding loops. If the traffic is looping in an dout and back again Squid impact can be huge. * delay pools not being bypassed for the reverse-proxy traffic. * QoS on the underlying system slowing things down. * ECM or PMTU brokenness preventing the Squid box making fast jumbo-packet connections. Amos
[squid-users] reverse proxy problem
Hi guys, Running latest 3.1 in a reverse proxy mode. 3 beefy servers with 96GB of ram. Seeing an odd problem: Origin -> customer, equals fast speeds. (Tested by curling from a desktop to origin.) Origin -> squid, equals fast speeds. (Tested by running curl on the squid server to the origin.) Squid cache hit -> customer, equals fast speed. (Seen in browser.) Squid cache miss -> customer, insanely slow. 36kB/sec, when origin to customer direct is like 50MB/sec. Any ideas on what to look at here? It's so broken it feels like a misconfiguration somewhere. These are on RHEL6u2, 96GB ram, 1.69TB RAID5 ext4 partition for disk cache, 4gb of bonded network interface. Machines are behind a load balancer operating in DSR mode. Thanks in advance. -- Bruce Z. Lysik
Re: [squid-users] reverse proxy, problem with conf
On 22/12/2011 9:46 p.m., Alexis Krier wrote: Hello all, I have a little problem to test the ability of squid to reverse proxy. let's say I have to site for example: free.fr and laposte.net (this sites are real www sites) I want that client hit first squid and then go to free.fr or laposte.net: Client -> SQUID --> free.fr | >laposte.net so here is my conf on my windows desktop test machine: C:\WINDOWS\system32\drivers\etc\hosts: 127.0.0.1 localhost 127.0.0.1free.fr 127.0.0.1laposte.net squid.conf: http_port 80 accel defaultsite=google.fr cache_peer 212.27.48.10 parent 80 0 no-query originserver name=server_1 acl sites_server_1 dstdomain free.fr cache_peer_access server_1 allow sites_server_1 cache_peer 195.154.98.97 parent 80 0 no-query originserver name=server_2 acl sites_server_2 dstdomain laposte.net cache_peer_access server_2 allow sites_server_2 the Test case: When I set free.fr in my web browser I am redirected to squid but I'm forwarded to google.fr and not free.fr as excpected Same thing with laposte.net, where am I wrong? The http_port directive is configured to reverse-proxy only for the google.fr domain. Any traffic which arrives is automatically using that domain. To receive multiple domains in one port you need to enable name-based virtual hosting in Squid by adding the "vhost" option to http_port. Amos
[squid-users] reverse proxy, problem with conf
Hello all, I have a little problem to test the ability of squid to reverse proxy. let's say I have to site for example: free.fr and laposte.net (this sites are real www sites) I want that client hit first squid and then go to free.fr or laposte.net: Client -> SQUID --> free.fr | >laposte.net so here is my conf on my windows desktop test machine: C:\WINDOWS\system32\drivers\etc\hosts: 127.0.0.1 localhost 127.0.0.1free.fr 127.0.0.1laposte.net squid.conf: http_port 80 accel defaultsite=google.fr cache_peer 212.27.48.10 parent 80 0 no-query originserver name=server_1 acl sites_server_1 dstdomain free.fr cache_peer_access server_1 allow sites_server_1 cache_peer 195.154.98.97 parent 80 0 no-query originserver name=server_2 acl sites_server_2 dstdomain laposte.net cache_peer_access server_2 allow sites_server_2 the Test case: When I set free.fr in my web browser I am redirected to squid but I'm forwarded to google.fr and not free.fr as excpected Same thing with laposte.net, where am I wrong? Thank you for any help Alexis
Re: [squid-users] R: Re: [squid-users] Reverse proxy problem
Gianfranco Varone [TIN] wrote: Cool, it works Now Squid 2.6 stable 20 (on windows, thank you Guido) runs really good. Thanks thanks thanks!!! Another question... with squid i have to deliver 3 services: 1. proxy on port 8080 (it works); 2. reverse proxy on port 1 (and NOW it works); But...if i want to (third service) reverse another port on the same server? Schema (always the same): MOBILE USER -> internet -> Squid(DMZ) -> FW - Mail(LAN) but...now services answers on port 8642 if i insert http_port ipSquid:8642 accel vhost defaultsite=fqdnMailDomain:8642 -> OK but cache_peer ipMail 8642 0 no-query originserver -> Fail! (double cache_peer on the same server) cache_peer ipMail parent 1 ... name=mail cache_peer ipMail parent 8642 ... name=mobile .. also need to change cache_peer_access from refering to ipMail to refer to mail or mobile instead. for example: never_direct allow fqdnMailDomain http_access allow fqdnMailDomain cache_peer_access mail allow fqdnMailDomain cache_peer_access mail deny all cache_peer_access mobile allow fqdnMailDomain cache_peer_access mobile deny all Amos Thanks in advance/GfV Messaggio originale Da: [EMAIL PROTECTED] Data: 2-mag-2008 1.50 PM A: "Gianfranco Varone [TIN]"<[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED] org> Ogg: Re: [squid-users] Reverse proxy problem Gianfranco Varone [TIN] wrote: Hi to all, firstable sorry for my english!! I'm trying to configure reverse proxy with Squid version 2.6, to permit users to connect to our mail server Schema as follow: USER - internet -> Squid(DMZ) -> FW -> Mail(LAN) Squid AND Mail answer on tcp port 1 Squid.conf: http_port ipSquid:1 vhost=ipMail:1 vport=1 accel http_port ipSquid:1 accel vhost defaultsite=fqdnMailDomain:1 cache_peer ipMail 1 0 no- query originserver acl MailServer ipMail/32 acl MailServer dstdomain fqdnMailDomain always_direct deny all !MailServer No. Instead: never_direct allow fqdnMailDomain http_access allow fqdnMailDomain cache_peer_access ipMail allow fqdnMailDomain cache_peer_access deny all So, if i try to connect to http: //ipProxy:1/ i get the login page, but every request automatically redirect to http: //ipMail:1 and i obviously get errors! Prefer FQDN for public mail. Point FQDN for mail at ipSquid so clients can get to proxy. NP: no need for squid to listen on 1, it can be anything. The clients never know the private link to mail and mail only knows squid is connecting correctly. Using squid 2.5 instead it works perfectly! Squid 2.5 conf: http_port 1 httpd_accel_host 192.168.0.8 httpd_accel_port 1 httpd_accel_single_host on httpd_accel_uses_host_header on httpd_accel_with_proxy on Where i'm in wrong??? Cheers/GfV Amos -- Please use Squid 2.6.STABLE20 or 3.0.STABLE5
[squid-users] R: Re: [squid-users] Reverse proxy problem
Cool, it works Now Squid 2.6 stable 20 (on windows, thank you Guido) runs really good. Thanks thanks thanks!!! Another question... with squid i have to deliver 3 services: 1. proxy on port 8080 (it works); 2. reverse proxy on port 1 (and NOW it works); But...if i want to (third service) reverse another port on the same server? Schema (always the same): MOBILE USER -> internet -> Squid(DMZ) -> FW - > Mail(LAN) but...now services answers on port 8642 if i insert http_port ipSquid:8642 accel vhost defaultsite=fqdnMailDomain:8642 -> OK but cache_peer ipMail 8642 0 no-query originserver -> Fail! (double cache_peer on the same server) Thanks in advance/GfV Messaggio originale Da: [EMAIL PROTECTED] Data: 2-mag-2008 1.50 PM A: "Gianfranco Varone [TIN]"<[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED] org> Ogg: Re: [squid-users] Reverse proxy problem Gianfranco Varone [TIN] wrote: > Hi to all, > firstable sorry for my english!! > > I'm trying to configure > reverse proxy with Squid version 2.6, to permit users to connect to > our mail server > > Schema as follow: > USER - > internet -> Squid(DMZ) -> FW > -> Mail(LAN) > Squid AND Mail answer on tcp port 1 > > Squid.conf: > http_port ipSquid:1 vhost=ipMail:1 vport=1 accel http_port ipSquid:1 accel vhost defaultsite=fqdnMailDomain:1 > cache_peer ipMail 1 0 no- query originserver > acl MailServer ipMail/32 acl MailServer dstdomain fqdnMailDomain > always_direct deny all !MailServer No. Instead: never_direct allow fqdnMailDomain http_access allow fqdnMailDomain cache_peer_access ipMail allow fqdnMailDomain cache_peer_access deny all > > So, if i try to connect to http: > //ipProxy:1/ i get the login page, but every request automatically > redirect to http: //ipMail:1 and i obviously get errors! Prefer FQDN for public mail. Point FQDN for mail at ipSquid so clients can get to proxy. NP: no need for squid to listen on 1, it can be anything. The clients never know the private link to mail and mail only knows squid is connecting correctly. > > Using > squid 2.5 instead it works perfectly! > > Squid 2.5 conf: > http_port 1 > httpd_accel_host 192.168.0.8 > httpd_accel_port 1 > httpd_accel_single_host on > httpd_accel_uses_host_header on > httpd_accel_with_proxy on > > Where i'm in wrong??? > > Cheers/GfV Amos -- Please use Squid 2.6.STABLE20 or 3.0.STABLE5
Re: [squid-users] Reverse proxy problem
Gianfranco Varone [TIN] wrote: Hi to all, firstable sorry for my english!! I'm trying to configure reverse proxy with Squid version 2.6, to permit users to connect to our mail server Schema as follow: USER -> internet -> Squid(DMZ) -> FW -> Mail(LAN) Squid AND Mail answer on tcp port 1 Squid.conf: http_port ipSquid:1 vhost=ipMail:1 vport=1 accel http_port ipSquid:1 accel vhost defaultsite=fqdnMailDomain:1 cache_peer ipMail 1 0 no-query originserver acl MailServer ipMail/32 acl MailServer dstdomain fqdnMailDomain always_direct deny all !MailServer No. Instead: never_direct allow fqdnMailDomain http_access allow fqdnMailDomain cache_peer_access ipMail allow fqdnMailDomain cache_peer_access deny all So, if i try to connect to http: //ipProxy:1/ i get the login page, but every request automatically redirect to http://ipMail:1 and i obviously get errors! Prefer FQDN for public mail. Point FQDN for mail at ipSquid so clients can get to proxy. NP: no need for squid to listen on 1, it can be anything. The clients never know the private link to mail and mail only knows squid is connecting correctly. Using squid 2.5 instead it works perfectly! Squid 2.5 conf: http_port 1 httpd_accel_host 192.168.0.8 httpd_accel_port 1 httpd_accel_single_host on httpd_accel_uses_host_header on httpd_accel_with_proxy on Where i'm in wrong??? Cheers/GfV Amos -- Please use Squid 2.6.STABLE20 or 3.0.STABLE5
[squid-users] Reverse proxy problem
Hi to all, firstable sorry for my english!! I'm trying to configure reverse proxy with Squid version 2.6, to permit users to connect to our mail server Schema as follow: USER -> internet -> Squid(DMZ) -> FW -> Mail(LAN) Squid AND Mail answer on tcp port 1 Squid.conf: http_port ipSquid:1 vhost=ipMail:1 vport=1 accel cache_peer ipMail 1 0 no-query originserver acl MailServer ipMail/32 always_direct deny all !MailServer So, if i try to connect to http: //ipProxy:1/ i get the login page, but every request automatically redirect to http://ipMail:1 and i obviously get errors! Using squid 2.5 instead it works perfectly! Squid 2.5 conf: http_port 1 httpd_accel_host 192.168.0.8 httpd_accel_port 1 httpd_accel_single_host on httpd_accel_uses_host_header on httpd_accel_with_proxy on Where i'm in wrong??? Cheers/GfV
Re: [squid-users] Reverse proxy problem again
Gustavo Lazarte wrote: well, I went thru 2 reverse proxy guides and 5 installations and at least on this steps I get the URL request right here are the steps that worked the best: We are looking to use squid to handle *.jpg request. We are using Squid Proxy server 2.5 stable 3 for windows NT/2000/= =3D XP Here is part of my squid.conf file http_port 80 httpd_accel_host 10.10.10.10 httpd_accel_port 80 httpd_accel_single_host on httpd_accel_with_proxy on httpd_accel_uses_host_header off I have squid running on 127.0.0.1 I m added the following extra changes Cache_mem 300mb Negative_ttl 15 min Also created a http_access allow all But WHERE did you place it? Reading through http://wiki.squid-cache.org/SquidFaq/SquidAcl might give you a better understanding of how Squid uses ACLs and http_access rules to allow and deny requests. After that, have a gander at http://wiki.squid-cache.org/SquidFaq/ReverseProxy. and still get a page with a saying While trying to retrieve the URL: http://10.10.10.10/test.jpg The following error was encountered: Access Denied. Access control configuration prevents your request from being all= =3D owed at this time. Please contact your service provider if yo= u fe=3D el this is incorrect. This is what I get in the logs 10.10.10.100 TCP_NEGATIVE_HIT/403 1467 GET http://10.10.10.10/te= =3D st.jpg - NONE/- text/html on the cache log I got Target number of buckets: 393 2006/08/07 14:12:55| Using 8192 Store buckets 2006/08/07 14:12:55| Max Mem size: 307200 KB 2006/08/07 14:12:55| Max Swap size: 102400 KB 2006/08/07 14:12:55| Rebuilding storage in C:\Squid/cache (CLEAN) 2006/08/07 14:12:55| Using Least Load store dir selection 2006/08/07 14:12:55| Set Current Directory to C:\Squid/cache 2006/08/07 14:12:55| Loaded Icons. 2006/08/07 14:12:55| Accepting HTTP connections at 0.0.0.0, port 80, FD 18. 2006/08/07 14:12:55| Accepting HTCP messages on port 4827, FD 19. 2006/08/07 14:12:55| Accepting SNMP messages on port 3401, FD 20. 2006/08/07 14:12:55| Ready to serve requests. 2006/08/07 14:12:56| Done scanning C:\Squid/cache swaplog (0 entries) 2006/08/07 14:12:56| Finished rebuilding storage from disk. 2006/08/07 14:12:56| 0 Entries scanned 2006/08/07 14:12:56| 0 Invalid entries. 2006/08/07 14:12:56| 0 With invalid flags. 2006/08/07 14:12:56| 0 Objects loaded. 2006/08/07 14:12:56| 0 Objects expired. 2006/08/07 14:12:56| 0 Objects cancelled. 2006/08/07 14:12:56| 0 Duplicate URLs purged. 2006/08/07 14:12:56| 0 Swapfile clashes avoided. 2006/08/07 14:12:56| Took 1.0 seconds ( 0.0 objects/sec). 2006/08/07 14:12:56| Beginning Validation Procedure 2006/08/07 14:12:56| Completed Validation Procedure 2006/08/07 14:12:56| Validated 0 Entries 2006/08/07 14:12:56| store_swap_size = 0k 2006/08/07 14:12:56| storeLateRelease: released 0 objects 2006/08/07 15:08:46| NETDB state saved; 1 entries, 0 msec Thanks if anybody has any leads Gustavo Lazarte Chris
[squid-users] Reverse proxy problem again
well, I went thru 2 reverse proxy guides and 5 installations and at least on this steps I get the URL request right here are the steps that worked the best: We are looking to use squid to handle *.jpg request. We are using Squid Proxy server 2.5 stable 3 for windows NT/2000/= =3D XP Here is part of my squid.conf file http_port 80 httpd_accel_host 10.10.10.10 httpd_accel_port 80 httpd_accel_single_host on httpd_accel_with_proxy on httpd_accel_uses_host_header off I have squid running on 127.0.0.1 I m added the following extra changes Cache_mem 300mb Negative_ttl 15 min Also created a http_access allow all and still get a page with a saying While trying to retrieve the URL: http://10.10.10.10/test.jpg The following error was encountered: Access Denied. Access control configuration prevents your request from being all= =3D owed at this time. Please contact your service provider if yo= u fe=3D el this is incorrect. This is what I get in the logs 10.10.10.100 TCP_NEGATIVE_HIT/403 1467 GET http://10.10.10.10/te= =3D st.jpg - NONE/- text/html on the cache log I got Target number of buckets: 393 2006/08/07 14:12:55| Using 8192 Store buckets 2006/08/07 14:12:55| Max Mem size: 307200 KB 2006/08/07 14:12:55| Max Swap size: 102400 KB 2006/08/07 14:12:55| Rebuilding storage in C:\Squid/cache (CLEAN) 2006/08/07 14:12:55| Using Least Load store dir selection 2006/08/07 14:12:55| Set Current Directory to C:\Squid/cache 2006/08/07 14:12:55| Loaded Icons. 2006/08/07 14:12:55| Accepting HTTP connections at 0.0.0.0, port 80, FD 18. 2006/08/07 14:12:55| Accepting HTCP messages on port 4827, FD 19. 2006/08/07 14:12:55| Accepting SNMP messages on port 3401, FD 20. 2006/08/07 14:12:55| Ready to serve requests. 2006/08/07 14:12:56| Done scanning C:\Squid/cache swaplog (0 entries) 2006/08/07 14:12:56| Finished rebuilding storage from disk. 2006/08/07 14:12:56| 0 Entries scanned 2006/08/07 14:12:56| 0 Invalid entries. 2006/08/07 14:12:56| 0 With invalid flags. 2006/08/07 14:12:56| 0 Objects loaded. 2006/08/07 14:12:56| 0 Objects expired. 2006/08/07 14:12:56| 0 Objects cancelled. 2006/08/07 14:12:56| 0 Duplicate URLs purged. 2006/08/07 14:12:56| 0 Swapfile clashes avoided. 2006/08/07 14:12:56| Took 1.0 seconds ( 0.0 objects/sec). 2006/08/07 14:12:56| Beginning Validation Procedure 2006/08/07 14:12:56| Completed Validation Procedure 2006/08/07 14:12:56| Validated 0 Entries 2006/08/07 14:12:56| store_swap_size = 0k 2006/08/07 14:12:56| storeLateRelease: released 0 objects 2006/08/07 15:08:46| NETDB state saved; 1 entries, 0 msec Thanks if anybody has any leads Gustavo Lazarte
RE: [squid-users] Reverse proxy problem again
Dear Henrik, I 'm missing understand in redirect script. The root cuase of my problem is /etc/hosts that missing . Now, It work well Regards and Thanks Niti : ) -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 4:17 PM To: Niti Lohwithee; [EMAIL PROTECTED] Cc: Siriporn Hayuk Subject: Re: [squid-users] Reverse proxy problem again On Friday 15 August 2003 10.42, Niti Lohwithee wrote: > Dear Henrik, > > Could you recommend the redirect script for solving this problem? My question is why at all using a redirector script? I see no reason why you would need or want a redirector script in your setup. Regards Henrik
Re: [squid-users] Reverse proxy problem again
On Friday 15 August 2003 10.42, Niti Lohwithee wrote: > Dear Henrik, > > Could you recommend the redirect script for solving this > problem? My question is why at all using a redirector script? I see no reason why you would need or want a redirector script in your setup. Regards Henrik
RE: [squid-users] Reverse proxy problem again
Dear Henrik, Could you recommend the redirect script for solving this problem? Regards and Thank you in advance Niti : ) -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, August 15, 2003 12:33 PM To: Niti Lohwithee Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] Reverse proxy problem again On Friday 15 August 2003 05.00, Niti Lohwithee wrote: > #!/usr/bin/perl -p s%http://centralmail\b%http://reverse-proxy%; This does not look right.. why are you doing this? Your Squid does not have any clue on how to fetch http://reverse-proxy, and most likely your centralmail server also does not know what to do with that domain name (if it supports virtual domains). Regards Henrik
Re: [squid-users] Reverse proxy problem again
On Friday 15 August 2003 05.00, Niti Lohwithee wrote: > #!/usr/bin/perl -p > s%http://centralmail\b%http://reverse-proxy%; This does not look right.. why are you doing this? Your Squid does not have any clue on how to fetch http://reverse-proxy, and most likely your centralmail server also does not know what to do with that domain name (if it supports virtual domains). Regards Henrik
RE: [squid-users] Reverse proxy problem again
Dear Henrik, Thank you in your suggesstion. I 'm missing for some requirement. In fact. My requirement is that the webmail can be used from Internet Through this reverse proxy. When users access to the Central Webmail for "first time", it checks username and password for authentication. If pass, then redirect to one of the mail servers which the user's mailbox exist. The squid config , /etc/host and redirect program is below. /etc/hosts - 162.xx.xx.0 centralmail 162.xx.xx.1 webmail1 162.xx.xx.2 webmail2 162.xx.xx.3 webmail3 162.xx.xx.4 webmail4 Squid.conf http_port 80 httpd_accel_host virtual httpd_accel_single_host off httpd_accel_uses_host_header on httpd_accel_with_proxy on httpd_accel_port 80 visible_hostname centralmail acl all src 0.0.0.0/0.0.0.0 http_access allow all redirect_program /usr/local/squid-reverse/bin/ip_redirector.pl Ip_redirector.pl __ #!/usr/bin/perl -p s%http://centralmail\b%http://reverse-proxy%; When I access the webmail , It 's not work .And the error meesage namely access denied and Forwards loop detect have not appear. The cache.log have no any error . The access.log display as below 1060912813.080 1 reverse-proxy TCP_MISS/403 1367 GET http://reverse-proxy / - NONE/- text/html 1060912813.081 3 client TCP_MISS/403 1411 GET http://reverse-proxy - DIRECT/172.30.251.143 text/html Could you help me please? Regards and Thank you in advance Regards Niti : ) -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 9:58 PM To: Niti Lohwithee Cc: jonathan soong; [EMAIL PROTECTED]; Siriporn Hayuk Subject: RE: [squid-users] Reverse proxy problem On Thu, 14 Aug 2003, Niti Lohwithee wrote: > Additional information, when I access the web access the webmail . > The messages.log display that WARNING: Forwarding loop detected for: > GET / HTTP/1.0^M Accept: image/gif, image/x-xbitmap, image/jpeg, > image/pjpeg, appli cation/vnd.ms-excel, application/vnd.ms-powerpoint, > ... Your squid does not know how to find it's way to the real servers. Two possible causes here a) The server the user asked for is not in your /etc/hosts file. b) You have specified "httpd_accel_host virtual" but not "httpd_accel_uses_host_header on". Such configuration will make Squid try to contact it's own IP address all the time as "httpd_accel_host virtual" tells it to reconstruct the URL using the IP address. Which of the two is obvious if you look into access.log. Regards Henrik
[squid-users] Reverse proxy problem
Dear all, I setup a reverse proxy server for internal webmail service using squid2.5 stable 3. There are 4 webmail servers in the Internal Network . The below is the network diagram. (services: http) (services: http) Group of mail servers- Central Webmail <--> Firewall Box <--> Internet | | Reverse Proxy server 11.0.0.1 (NAT to 13.0.0.1) My requirement is that the webmail can be used from Internet through this reverse proxy. When users access to the Central Webmail, it checks username and password for authentication. If pass, then redirect to one of the mail servers which the user's mailbox exist. At Reverse Proxy server, I've configured squid with --disable-internal-dns option. Webmail servers lists in the /etc/hosts file. Reverse Proxy server already has the real IP address and NAT by Firewall Box. The below is the configuration. /etc/hosts - 162.xx.xx.0 centralmail 162.xx.xx.1 webmail1 162.xx.xx.2 webmail2 162.xx.xx.3 webmail3 162.xx.xx.4 webmail4 Squid.conf http_port 80 httpd_accel_host virtual httpd_accel_single_host off httpd_accel_uses_host_header on httpd_accel_with_proxy on httpd_accel_port 80 visible_hostname centralmail acl all src 0.0.0.0/0.0.0.0 http_access allow all The problem is when I access the webmail from both DMZ and Internet, the web page returns an error message about access denied. What 's wrong? Any help is greatly appreciated! Regards and Thank you Niti : )
Re: [squid-users] Reverse proxy problem
> >httpd_accel_host virtual I do not think you really intend the above.. you should most likely use the main domain name there. Not very important however. > >httpd_accel_single_host off > >httpd_accel_uses_host_header on > >httpd_accel_with_proxy on > >httpd_accel_port 80 > > > >visible_hostname centralmail > >acl all src 0.0.0.0/0.0.0.0 > >http_access allow all The above you certainly do not want. Makes your "reverse proxy" a open proxy allowing anyone to connect via the proxy to anywhere in the world on any service doing anything they like. > > The problem is when I access the webmail from both DMZ and > >Internet, the web page returns an error message about access denied. > >What 's wrong? I do not see how you can get an access denied with the above totally wide open setup. What does access.log say? Any output from "squid -k parse"? Regards Henrik
RE: [squid-users] Reverse proxy problem
On Thu, 14 Aug 2003, Niti Lohwithee wrote: > Additional information, when I access the web access the webmail > . The messages.log display that WARNING: Forwarding loop detected for: > GET / HTTP/1.0^M Accept: image/gif, image/x-xbitmap, image/jpeg, > image/pjpeg, appli > cation/vnd.ms-excel, application/vnd.ms-powerpoint, ... Your squid does not know how to find it's way to the real servers. Two possible causes here a) The server the user asked for is not in your /etc/hosts file. b) You have specified "httpd_accel_host virtual" but not "httpd_accel_uses_host_header on". Such configuration will make Squid try to contact it's own IP address all the time as "httpd_accel_host virtual" tells it to reconstruct the URL using the IP address. Which of the two is obvious if you look into access.log. Regards Henrik
Re: [squid-users] Reverse proxy problem
my limited knowledge suggests that this IS an ACL issue. check in /var/log/messages as well as var/cache.log and var/error.log (these are in the squid directory and contains lots of useful debug messages) for more clues are you sure you're not running a webserver on the reverse proxy machine on port 80? j Niti Lohwithee wrote: Dear all, I setup a reverse proxy server for internal webmail service using squid2.5 stable 3. There are 4 webmail servers in the Internal Network . The below is the network diagram. (services: http) (services: http) Group of mail servers- Central Webmail <--> Firewall Box <--> Internet | | Reverse Proxy server 11.0.0.1 (NAT to 13.0.0.1) My requirement is that the webmail can be used from Internet through this reverse proxy. When users access to the Central Webmail, it checks username and password for authentication. If pass, then redirect to one of the mail servers which the user's mailbox exist. At Reverse Proxy server, I've configured squid with --disable-internal-dns option. Webmail servers lists in the /etc/hosts file. Reverse Proxy server already has the real IP address and NAT by Firewall Box. The below is the configuration. /etc/hosts - 162.xx.xx.0 centralmail 162.xx.xx.1 webmail1 162.xx.xx.2 webmail2 162.xx.xx.3 webmail3 162.xx.xx.4 webmail4 Squid.conf http_port 80 httpd_accel_host virtual httpd_accel_single_host off httpd_accel_uses_host_header on httpd_accel_with_proxy on httpd_accel_port 80 visible_hostname centralmail acl all src 0.0.0.0/0.0.0.0 http_access allow all The problem is when I access the webmail from both DMZ and Internet, the web page returns an error message about access denied. What 's wrong? Any help is greatly appreciated! Regards and Thank you Niti : )
RE: [squid-users] Reverse proxy problem
Dear ALL. Additional information, when I access the web access the webmail . The messages.log display that WARNING: Forwarding loop detected for: GET / HTTP/1.0^M Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, appli cation/vnd.ms-excel, application/vnd.ms-powerpoint, ... And no have any error in error.log. I 'm sure that I don't run web server on reverse proxy. Any reccomment Regards Niti : ) -Original Message- From: jonathan soong [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 2:35 PM To: Niti Lohwithee Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] Reverse proxy problem my limited knowledge suggests that this IS an ACL issue. check in /var/log/messages as well as var/cache.log and var/error.log (these are in the squid directory and contains lots of useful debug messages) for more clues are you sure you're not running a webserver on the reverse proxy machine on port 80? j Niti Lohwithee wrote: >Dear all, > > I setup a reverse proxy server for internal webmail service using >squid2.5 stable 3. There are 4 webmail servers in the Internal Network >. The below is the network diagram. > >(services: http) (services: http) > Group of mail servers- Central Webmail <--> Firewall Box <--> Internet >| >| >Reverse Proxyserver > 11.0.0.1 (NATto 13.0.0.1) > > > > My requirement is that the webmail can be used from Internet through >this reverse proxy. When users access to the Central Webmail, it checks >username and password for authentication. If pass, then redirect to one >of the mail servers which the user's mailbox exist. > > At Reverse Proxy server, I've configured squid with >--disable-internal-dns option. Webmail servers lists in the /etc/hosts >file. Reverse Proxy server already has the real IP address and NAT by >Firewall Box. The below is the configuration. > >/etc/hosts >- >162.xx.xx.0centralmail >162.xx.xx.1webmail1 >162.xx.xx.2webmail2 >162.xx.xx.3webmail3 >162.xx.xx.4webmail4 > > > > >Squid.conf > >http_port 80 >httpd_accel_host virtual >httpd_accel_single_host off >httpd_accel_uses_host_header on >httpd_accel_with_proxy on >httpd_accel_port 80 > >visible_hostname centralmail >acl all src 0.0.0.0/0.0.0.0 >http_access allow all > > > The problem is when I access the webmail from both DMZ and Internet, >the web page returns an error message about access denied. What 's >wrong? > > >Any help is greatly appreciated! > > >Regards and Thank you >Niti : ) > > >