Re: [squid-users] transparent + reverse proxy + server is posible ?
On mån, 2008-04-28 at 23:45 +0200, F. wrote: > I am thinking about make a [transparent proxy + http accelerator + > server] on the same machine. > But I do not know if it is secure this configuration. > ->Lan to Internet: Transparent proxy using acl LAN, redirected port 80 > to squid port in firewall. Destination all. > ->Intenet to Server. http accelerator. 80 to 3128 redirected on > firewall. Destination only server domain names. It's fine in 2.6 and later, but you need two different http_port for this kind of setup. One for the proxy port, and one for the accelerator port. It's a little tricky to get the access controls right, but not too hard if you are careful. And even if you do get things slightly wrong Squid will not allow you to do very bad things unless you tell it that you know what you are doing... The configuration you suggested looks fine to me, but I would probably switch the order somewhat to have the accelerated domains before your local lan. When the configuration is as simple as you are doing now it doesn't matter very much, but the day you start doing authentication for your LAN clients etc things gets quite different... Regards Henrik
Re: [squid-users] transparent + reverse proxy + server is posible ?
F. wrote: Hello, I am thinking about make a [transparent proxy + http accelerator + server] on the same machine. But I do not know if it is secure this configuration. ->Lan to Internet: Transparent proxy using acl LAN, redirected port 80 to squid port in firewall. Destination all. ->Intenet to Server. http accelerator. 80 to 3128 redirected on firewall. Destination only server domain names. It's secure? Could work fine in the same machine http accelerator and transparent proxy with the same squid server? Using 2.6+ or 3.0+ yes it should work fine. 2.5 and earlier had configuration problems. Security level is all how you set your ACL and access lines in Squid. The Server needs to run on a non-80 port or different IP address on the same box (ie 127.0.0.1) acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl Safe_ports port 80 # http acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT acl SSL_ports port 443 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports I'd advise sticking 443 back in the Safe_ports. The line above will drop all CONECT requests before they get to be allowed. Just because the port is !Safe_ports http_access deny CONNECT !SSL_ports acl LAN src 192.168.1.0/24 http_access allow LAN acl XENO dstdomain .my.server.com# Destination server from URL http_access allow XENO # Really I do not understand well how to make the union of two prerequisites, that should be: # (source all acl && dstdomain .my.server.com) to allow access from Internet to server. 'all' has no effect when joined unless you want !all. It's always implied. http_access allow localhost http_access deny all Looks like a good setup there for the Access Controls. Just add 'transparent' and 'accel vhost defaultsite=my.server.com' option to the matching http_port's And some cache_peer to handle the accelerator back-end would be very useful. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
[squid-users] transparent + reverse proxy + server is posible ?
Hello, I am thinking about make a [transparent proxy + http accelerator + server] on the same machine. But I do not know if it is secure this configuration. ->Lan to Internet: Transparent proxy using acl LAN, redirected port 80 to squid port in firewall. Destination all. ->Intenet to Server. http accelerator. 80 to 3128 redirected on firewall. Destination only server domain names. It's secure? Could work fine in the same machine http accelerator and transparent proxy with the same squid server? > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl Safe_ports port 80 # http > acl Safe_ports port 1025-65535 # unregistered ports > acl CONNECT method CONNECT > acl SSL_ports port 443 > > http_access allow manager localhost > http_access deny manager > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > acl LAN src 192.168.1.0/24 > http_access allow LAN > > acl XENO dstdomain .my.server.com# Destination server from URL > > http_access allow XENO > # Really I do not understand well how to make the union of two prerequisites, > that should be: > # (source all acl && dstdomain .my.server.com) to allow access from Internet > to server. > > http_access allow localhost > http_access deny all -- -- Publicidad http://www.pas-world.com
Re: [squid-users] Transparent Reverse Proxy
On Fri, 2006-06-02 at 16:49 +0200, Cole wrote: > Hi. > > I wanted to know if its possible to setup squid to be a transparent reverse > proxy/httpd accelerator > for multiple servers behind squid. I read through all the ViSolve stuff > regarding this, and that all > makes sense, I was just wondering if its possible to multiple servers in > transparent mode? > > Regards > /Cole > > Hello Cole, Yes it is possible to setup reverse proxy for multiple servers. You have to make squid to resolve to appropriate servers through DNS or hosts file. And squid configuration has to me modified as given in http://squid.visolve.com/squid/reverseproxy.htm Let us know if you have some specific questions. Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Transparent Reverse Proxy
fre 2006-06-02 klockan 17:45 +0200 skrev Emilio Casbas: > You can do it with a redirector to redirect the requests to > the appropiate backend. See the squid.conf.default for > tag like as; As the DNS in this case is pointing to the real servers IPs no redirectors is needed.. just have Squid forward the requests as usual... Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Transparent Reverse Proxy
fre 2006-06-02 klockan 16:49 +0200 skrev Cole: > I wanted to know if its possible to setup squid to be a transparent reverse > proxy/httpd accelerator Yes. There is not much special about it. But usually not needed (just change the DNS). if you want it really transparent so that the original client IP is seen to the backend server then there is a bit of work. See TPROXY. (supported in the upcoming 2.6 release). Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Transparent Reverse Proxy
Cole wrote: Hi. As you would normally do a httpd accelerator or reverse cache to sit in front of the web server to intercept its requests and serve them if it can. You have to specify a single host for that, or if you do multiple hosts, you have to change the dns of those hosts to point to your cache. I was wondering if you can do it without changing the dns? as quick response, yes. You can do it with a redirector to redirect the requests to the appropiate backend. See the squid.conf.default for tag like as; httpd_accel_host http_accel_single_host redirect_rewrite_host_header see too http://wiki.squid-cache.org/SquidFaq/SquidRedirectors Thanks Emilio C. /Cole -Original Message- From: Emilio Casbas [mailto:[EMAIL PROTECTED] Sent: Friday, June 02, 2006 5:14 PM To: [EMAIL PROTECTED] Cc: 'Squid Users' Subject: Re: [squid-users] Transparent Reverse Proxy Cole wrote: Hi. I wanted to know if its possible to setup squid to be a transparent reverse proxy/httpd accelerator for multiple servers behind squid. Yes, it's possible. I read through all the ViSolve stuff regarding this, and that all makes sense, I was just wondering if its possible to multiple servers in transparent mode? Could you explain a bit more..? Regards /Cole Thanks Emilio C.
Re: [squid-users] Transparent Reverse Proxy
Cole wrote: Hi. I wanted to know if its possible to setup squid to be a transparent reverse proxy/httpd accelerator for multiple servers behind squid. Yes, it's possible. I read through all the ViSolve stuff regarding this, and that all makes sense, I was just wondering if its possible to multiple servers in transparent mode? Could you explain a bit more..? Regards /Cole Thanks Emilio C.
[squid-users] Transparent Reverse Proxy
Hi. I wanted to know if its possible to setup squid to be a transparent reverse proxy/httpd accelerator for multiple servers behind squid. I read through all the ViSolve stuff regarding this, and that all makes sense, I was just wondering if its possible to multiple servers in transparent mode? Regards /Cole
[squid-users] Transparent reverse proxy unless origin is not running?
Hi, Is it possible to use Squid as a reverse proxy so that any requests are passed through to the origin server (the server serving content) and if the origin server is not responding serve from the cache? Is this done using some cache peering? Or is cache peering only for multiple Squid caches? Any help would be greatly appreciated. Cheers, Eb. -- Eric B. Blanchi
