Re: [squid-users] Simple port 80 squid reverse-proxy question
Discussion Lists wrote: All, I set up a reverse proxy using squid 3.0. It works fine actually, but I wanted to run the config by you all to be sure I wasn't missing anything important. In particular, I am worried about commenting out the http_access deny all. I added an allow all setting, but I was wondering if there was a better way, and also if I am doing the below stuff correctly as well. Here's my setup: Outsideworld --- Squid ---webserver -I am doing normal http port 80 reverse-proxying. acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl all src 0.0.0.0/0.0.0.0 acl allowed_hosts src 10.0.5.0/255.255.255.0 http_access deny manager all http_access allow allowed_hosts #http_access deny all icp_access allow allowed_hosts icp_access deny all cache_dir ufs /usr/local/squid/var/cache 100 16 256 cache_effective_user nobody cache_effective_group nobody visible_hostname Linux always_direct allow all http_port 192.168.1.79:80 defaultsite=www.test.in http_access allow all Two things... First, Squid 3 is not release ready. It might catch your hair on fire. Second, with that setup, (I think) you are running an open proxy. Probably not what you want. Add another acl, like... acl accelerated_host dst ip.of.webserver/32 ...change the http_access line to read... http_access allow accelerated host ...uncomment the http_access deny all, and remove the http_access allow all, and you will be in much better shape. Chris
Re: [squid-users] Simple port 80 squid reverse-proxy question
lör 2006-04-01 klockan 11:21 -0800 skrev Discussion Lists: I set up a reverse proxy using squid 3.0. It works fine actually, but I wanted to run the config by you all to be sure I wasn't missing anything important. In particular, I am worried about commenting out the http_access deny all. I added an allow all setting, but I was wondering if there was a better way, and also if I am doing the below stuff correctly as well. Here's my setup: always_direct allow all Don't do this in squid-3 accelerators. Instead use the cache_peer directive to tell Squid-3 where the origin server is. This gives you much better control over how Squid routes the requests. Note: The reason why Squid-3 does not allow direct by default on accelerated content is the security concerns raised earlier. By default requiring the use of a configured peer for accelerated content the risk that the accelerator becomes an open proxy by simple access control error (i.e. allow all) is minimized. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Simple port 80 squid reverse-proxy question
Thank you VERY much for this. Greatly appreciated! -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 04, 2006 1:27 PM To: Discussion Lists Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Simple port 80 squid reverse-proxy question lör 2006-04-01 klockan 11:21 -0800 skrev Discussion Lists: I set up a reverse proxy using squid 3.0. It works fine actually, but I wanted to run the config by you all to be sure I wasn't missing anything important. In particular, I am worried about commenting out the http_access deny all. I added an allow all setting, but I was wondering if there was a better way, and also if I am doing the below stuff correctly as well. Here's my setup: always_direct allow all Don't do this in squid-3 accelerators. Instead use the cache_peer directive to tell Squid-3 where the origin server is. This gives you much better control over how Squid routes the requests. Note: The reason why Squid-3 does not allow direct by default on accelerated content is the security concerns raised earlier. By default requiring the use of a configured peer for accelerated content the risk that the accelerator becomes an open proxy by simple access control error (i.e. allow all) is minimized. Regards Henrik