Search squid archive

Re: Pass through some requests in a reversed-proxy setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rune Langseid wrote:
Thanks for the reply Amos.

Just to clarify my intentions about this setup.

I my current setup all requests is sent to and handled by the CMS's "index.php". Since over 90% of the requests is anonymous users which always get the same output I want accelerate this part. All authentication is handled by the CMS, and is not something Squid needs to think about.

Okay. In that case you should not worry about bypassing squid for the authenticated users. All you need is to ensure that secure content for authenticated users is at different URI than for anonymous. And that all pages have Cache-Control: headers set to expire the page when you want it to. If you go the route of using a query-string parameter to differentiate, you will need to remove the recommended default non-caching of '?' URI from squid.conf.

Or to keep using the cookie you should just need to set the Cache-Control: and Vary: headers (Vary: Cookie)

The new polished www.squid-cache.org site does this in a way with its *.dyn pages. Everything gets mapped and assembled by a control script before display.
Amos


Amos Jeffries wrote:
Rune Langseid wrote:
Hi there,

I'm trying to set up a reverse-proxy in front of an CMS.

Ok.

Since there are both anonymous users, and logged in users accessing this
system I only want to serve squid-cache to the anonymous users.

WHY? Surey yoru authenticated users are allowed to do the same things as anonymous (plus some extras only for them)

I was thinking of setting a cookie called "Authenticated" when the user
logs in as this is easy to check with "acl"

Like this:
acl cookie_is_set req_header Cookie ^.*Authenticated.*

However, I am facing a few problems then trying to let these user
through Squid.

I have tried this:
acl cookie_is_set req_header Cookie ^.*Authenticated.*
cache deny cookie_is_set

This setup works in a way, but Squid also deletes the cache-object used
by the anonymous users which is something I don't want. Could this be a bug?

Sort-of. Squid does not fully support HTTP/1.1 - this type of URL differences are part of the HTTP/1.1 support. If its still occuring when squid is apparently HTTP/1.1 compliant then it will be a bug.

I have also been experimenting with "always_direct" with no luck.
Like this:
always_direct allow cookie_is_set

I guess I am missing something important here...

always_direct bypasses the peer config you have for matching requests.


Is there another way to solve this?
Eg by using cache_peer and cache_peer_access?


Possibly. If you wanted one or other type of user not to be able to request new content from the peer.

What I suspect is that you actually want to use:
 miss_access deny !cookie_is_set

That way authenticated users are allowed to pull new objects int the cache. and non-authenticated are only allowed to use those already pulled in by somebody else.

Your CMS should be setting Expires: and Cache-Control: headers properly to control which items are storable in the cache and which need to be refreshed.
You purposed this setting;
miss_access deny !cookie_is_set

This will stop requests which is not authenticated (cookie does not exist) which is something I don't want. Anonymous users should generate cache if does not exists, or if it is expired.

If the cookie exists Squid should just pass the request along to index.php as if the cache did not exist.

The "cache deny cookie_is_set" does this, but it also releases the cache for the page used by anonymous user.

I guess I'll end up modifying this function not to case a "RELEASE" on the cache by patching Squid. This is not an ideal solution, but if it works for now it is enough.



I'm using Squid 2.6.5, and my squid.conf looks like this:
--
cache_peer localhost parent 80 0 originserver
http_port 8080 vhost

acl cookie_is_set req_header Cookie ^.*Authenticated.*
cache deny cookie_is_set

#always_direct allow cookie_is_set

acl all src 0.0.0.0/0.0.0.0
http_access allow all

So by that config I read that you want ANYBODY to be able to access any website through your proxy at port 8080?

I'd use:
- cache_peer_domain or cache_peer_access to limit the possible destinations to those your peer provides.
- never_direct to prevent requests the CMS is not meant to provide

Also cookie's can be forged or spoofed easily. If you can try to setup some proper authentication. The auth_param programs can be an easily hand-coded script to test USER/PASS against anything you want. That also allows the users use their familiar browser login controls for your site.

The ports in this example of squid.conf was easy to misunderstand I guess.

When everything is settled Squid will of course run on port 80, and Apache will be on port 8080 (just to pick one).


Regards,
Rune


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux