> I didn't have the cache_peer_access directive in my squid.conf. At this > moment the cache_peer entries are as follows: > > cache_peer 10.x.x.11 parent 80 0 no-query originserver > cache_peer_access 10.x.x.11 allow all > > I am still seeing the same issue of the connection going to the Virtual > Host instead of to the origin server. You still need an explicit redirection ACL to prevent DNS lookups. acl hostedDomain dstdomain example.com cache_peer_access 10.x.x.11 allow hostedDomain never_direct deny hostedDomain Amos > > -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: Saturday, March 01, 2008 4:36 AM > To: Russ Gnann > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: Re: Reverse proxy setup with squid 2.6+ > > Russ Gnann wrote: >> We are currently looking up upgrade our squid servers from 2.5 to 2.6 or >> higher. In our current configuration, we send requests to the origin >> servers to a single IP address that points to a load balancer which is >> associated with a pool of web servers. In 2.5, this is easy to do with >> the httpd_accel_* directives, but in 2.6 I know that those directives >> have been replaced by the http_port directive with accel, vhost, vport, >> etc. options. I have supplied the squid.conf we are attempting to use >> below with a build of 2.6. With this configuration, it appears that any >> connection attempt that doesn't get a cache hit resolves the virtual >> host, and makes an HTTP connection to that resolved public IP instead >> sending the request to the internal 10.x.x.11 address. >> >> Is there a way under squid 2.6 and higher to force any request that >> doesn't make a cache hit to a single backend IP address? The vhost >> option is necessary with http_port since the Host: header must contain >> the Virtual Host name as our web servers use that data to determine what >> which site to serve. >> > > You require a cache_peer directive and a cache_peer_access with ACLs. > Those will direct cache-misses to the actual source you configure > without doing the DNS lookups. > > Amos > >> >> squid build: >> # /opt/squid-2.6.16/sbin/squid -v >> Squid Cache: Version 2.6.STABLE16 >> configure options: '--prefix=/opt/squid-2.6.16' '--enable-async-io' >> '--enable-snmp' '--enable-removal-policies=heap' '--enable-referer-log' >> '--enable-useragent-log' >> >> ----- squid.conf ----- >> acl snmppublic snmp_community local-squid-ro >> acl all src 0.0.0.0/0.0.0.0 >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 >> acl to_localhost dst 127.0.0.0/8 >> acl local_network src 172.16.0.0/16 10.0.0.0/8 >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> acl web_ports port 80 >> http_access allow web_ports >> http_access allow manager localhost >> http_access allow manager local_network >> http_access deny manager >> acl purge method PURGE >> http_access allow purge localhost >> http_access allow purge local_network >> http_access deny purge >> http_access allow all >> icp_access allow all >> http_port 80 accel defaultsite=10.x.x.11 vhost >> cache_peer 10.x.x.11 parent 80 0 no-query originserver >> hierarchy_stoplist cgi-bin ? >> acl QUERY urlpath_regex cgi-bin \? >> cache deny QUERY >> memory_replacement_policy heap LFUDA >> cache_replacement_policy heap LFUDA >> logformat CustomLog %>a %ui %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru >> HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" "%{Cookie}>h" >> %Ss:%Sh >> access_log /opt/squid-2.6.16/var/logs/custom.log CustomLog >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern . 0 20% 4320 >> acl apache rep_header Server ^Apache >> broken_vary_encoding allow apache >> cache_effective_user www >> cache_effective_group www >> visible_hostname squid.domain.com >> >> >> >> Regards, >> >> Russell > > > -- > Please use Squid 2.6STABLE17+ or 3.0STABLE1+ > There are serious security advisories out on all earlier releases. >
