I didn't have the cache_peer_access directive in my squid.conf. At this moment the cache_peer entries are as follows: cache_peer 10.x.x.11 parent 80 0 no-query originserver cache_peer_access 10.x.x.11 allow all I am still seeing the same issue of the connection going to the Virtual Host instead of to the origin server. -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Saturday, March 01, 2008 4:36 AM To: Russ Gnann Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: Reverse proxy setup with squid 2.6+ Russ Gnann wrote: > We are currently looking up upgrade our squid servers from 2.5 to 2.6 or higher. In our current configuration, we send requests to the origin servers to a single IP address that points to a load balancer which is associated with a pool of web servers. In 2.5, this is easy to do with the httpd_accel_* directives, but in 2.6 I know that those directives have been replaced by the http_port directive with accel, vhost, vport, etc. options. I have supplied the squid.conf we are attempting to use below with a build of 2.6. With this configuration, it appears that any connection attempt that doesn't get a cache hit resolves the virtual host, and makes an HTTP connection to that resolved public IP instead sending the request to the internal 10.x.x.11 address. > > Is there a way under squid 2.6 and higher to force any request that doesn't make a cache hit to a single backend IP address? The vhost option is necessary with http_port since the Host: header must contain the Virtual Host name as our web servers use that data to determine what which site to serve. > You require a cache_peer directive and a cache_peer_access with ACLs. Those will direct cache-misses to the actual source you configure without doing the DNS lookups. Amos > > squid build: > # /opt/squid-2.6.16/sbin/squid -v > Squid Cache: Version 2.6.STABLE16 > configure options: '--prefix=/opt/squid-2.6.16' '--enable-async-io' '--enable-snmp' '--enable-removal-policies=heap' '--enable-referer-log' '--enable-useragent-log' > > ----- squid.conf ----- > acl snmppublic snmp_community local-squid-ro > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl local_network src 172.16.0.0/16 10.0.0.0/8 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > acl web_ports port 80 > http_access allow web_ports > http_access allow manager localhost > http_access allow manager local_network > http_access deny manager > acl purge method PURGE > http_access allow purge localhost > http_access allow purge local_network > http_access deny purge > http_access allow all > icp_access allow all > http_port 80 accel defaultsite=10.x.x.11 vhost > cache_peer 10.x.x.11 parent 80 0 no-query originserver > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > memory_replacement_policy heap LFUDA > cache_replacement_policy heap LFUDA > logformat CustomLog %>a %ui %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" "%{Cookie}>h" %Ss:%Sh > access_log /opt/squid-2.6.16/var/logs/custom.log CustomLog > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > cache_effective_user www > cache_effective_group www > visible_hostname squid.domain.com > > > > Regards, > > Russell -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
