Re: [squid-users] forward and reverse proxy with squid 3.2
On 17/09/11 01:48, Dean Weimer wrote: -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Friday, September 16, 2011 8:28 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] forward and reverse proxy with squid 3.2 Hi Dean at 16.09.2011 15:12, Dean Weimer wrote: -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Friday, September 16, 2011 3:35 AM To: squid-users@squid-cache.org Subject: [squid-users] forward and reverse proxy with squid 3.2 Hi Folks I need to replace my squid proxy running on a Debian Lenny, because the version provided does not handle ssl. I managed with some tweaks to the makefile (especially for the link phase) to compile 3.2.0.11, the configuration changes though apear to make it impossible to run a normal and reverse proxy in the same instance. I copied most of the configuration files from the old installation, hoping they would not to be too different. My new installation runs fine as a normal proxy, as soon as I include the reverse proxy configuration, everything is sent to the peer mentioned there. There are some strange behaviours we are straightening out in 3.2 beta series at the moment after a TCP connection re-write in 3.2.0.9. Please try 3.2.0.12 beta which is now released. If that still has problems you may need to use 3.2.0.8 beta which has several happy users. Or the stable production series 3.1.15. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.12
RE: [squid-users] forward and reverse proxy with squid 3.2
-Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Friday, September 16, 2011 3:35 AM To: squid-users@squid-cache.org Subject: [squid-users] forward and reverse proxy with squid 3.2 Hi Folks I need to replace my squid proxy running on a Debian Lenny, because the version provided does not handle ssl. I managed with some tweaks to the makefile (especially for the link phase) to compile 3.2.0.11, the configuration changes though apear to make it impossible to run a normal and reverse proxy in the same instance. I copied most of the configuration files from the old installation, hoping they would not to be too different. My new installation runs fine as a normal proxy, as soon as I include the reverse proxy configuration, everything is sent to the peer mentioned there. ## ## # squid reverse proxy settings # content shamelessly adapted from # http://wiki.squid- cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate # Copyleft 2009 erich.t...@think.ch ## ## http_port 80 accel # peer servicedesk cache_peer servicedesk.ruf.ch parent 80 0 no-query originserver name=servicedesk acl sites_server_1 dstdomain servicedesk.ruf.ch cache_peer_access servicedesk allow sites_server_1 http_access allow sites_server_1 ## ### It appears that the cache_peer directive now takes precedence. cheers Erich Erich, I ran into this when switching to the 3.x branch from 2.x, you need to answer on a second port for the forward proxy requests, this setup works in 3.1.x, I haven't tried it in 3.2.x versions, but I believe this should work in it as well. http_port 80 accel http_port 3128 # If using https on reverse proxy as well https_port 443 accel cert=/usr/local/squid/etc/certs/chain.crt key=/usr/local/squid/etc/certs/cert.key options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 Make sure to include the proper access list entries so that you don't open the forward proxy to the world when allowing access to the reverse proxy port. The server will answer on http and https on ports 80 and 443 and direct those to the parent server, when connected to on port 3128 it will function as a standard forward proxy service for your internal users. Dean
RE: [squid-users] forward and reverse proxy with squid 3.2
-Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Friday, September 16, 2011 8:28 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] forward and reverse proxy with squid 3.2 Hi Dean at 16.09.2011 15:12, Dean Weimer wrote: -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Friday, September 16, 2011 3:35 AM To: squid-users@squid-cache.org Subject: [squid-users] forward and reverse proxy with squid 3.2 Hi Folks I need to replace my squid proxy running on a Debian Lenny, because the version provided does not handle ssl. I managed with some tweaks to the makefile (especially for the link phase) to compile 3.2.0.11, the configuration changes though apear to make it impossible to run a normal and reverse proxy in the same instance. I copied most of the configuration files from the old installation, hoping they would not to be too different. My new installation runs fine as a normal proxy, as soon as I include the reverse proxy configuration, everything is sent to the peer mentioned there. ## ## # squid reverse proxy settings # content shamelessly adapted from # http://wiki.squid- cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate # Copyleft 2009 erich.t...@think.ch ## ## http_port 80 accel # peer servicedesk cache_peer servicedesk.ruf.ch parent 80 0 no-query originserver name=servicedesk acl sites_server_1 dstdomain servicedesk.ruf.ch cache_peer_access servicedesk allow sites_server_1 http_access allow sites_server_1 ## ### It appears that the cache_peer directive now takes precedence. cheers Erich Erich, I ran into this when switching to the 3.x branch from 2.x, you need to answer on a second port for the forward proxy requests, this setup works in 3.1.x, I haven't tried it in 3.2.x versions, but I believe this should work in it as well. http_port 80 accel http_port 3128 # If using https on reverse proxy as well https_port 443 accel cert=/usr/local/squid/etc/certs/chain.crt key=/usr/local/squid/etc/certs/cert.key options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SS Lv2 I have a forward proxy defined on 8080 and it works well until I include the reverse proxy configuration. Then everything goes to the cache peer defined for that vhost. What does your cache peer look like? Thanks Erich Perhaps it's the cache_peer_domain lines that you need, I have sanitized these entries, I am actually using a vhost configuration with multiple peers on port 80, and a single peer on https. cache_peer 1.1.1.1 parent 80 0 proxy-only no-query originserver name=HTTPPEER cache_peer_domain HTTPPEER www.domain.com cache_peer 1.1.1.1 parent 443 0 ssl no-query originserver name=HTTPSPEER cache_peer_domain HTTPSPEER www.domain.com My forward proxy is also using a parent cache, which makes the ACLs and rules likely quite a bit different, but I don't appear to have any allow deny rules for the parent peers used in the reverse proxy settings, so it looks like the cache_peer_domain is doing all the work in deciding what goes to the parents via the reverse proxy function, and what goes to the forward parent server. The only ACLs and rules I have setup are allowing and denying access to the forward proxy port.
