Simon Powell wrote:
OK - so just to clarify. I want authenticated requests from the outside world to hit my server at internal address of 172.30.0.18
So I add the following lines in to my conf file:-
http_port 8080 accel defaultsite=avupdate.domain.com (as in 'proper' DNS name for site as far as outside world is concerned)
Then:-
cache_peer 172.30.0.18 parent 8080 0 no-query originserver name=myAccel (for this is the internal IP of the webserver - it should be the only site on it but I will add a vhost onto the first line if this is not the case).
Does this stack up?
Almost. ...
these bits are really important as this is the actual routing logic:
acl myDomain dstdomain avupdate.domain.com
http_access allow myDomain
never_direct myDomain
cache_peer_access myAccel allow MyDomain
cache_peer_access myAccel deny all
and DNS pointing at the Squid machine IP for public access
Amos
Cheers
Si
________________________________________
From: Amos Jeffries [squid3@xxxxxxxxxxxxx]
Sent: 04 December 2008 13:19
To: Simon Powell
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Internet facing proxy
cabletastic wrote:
Greetings,
I have a setup I am close (but no cigar) to getting working. I would like an
Active Directory authenticated inbound proxy to pass authenticated requests
to our anti-virus subscription server internally. My setup 'works' to this
degree - I can connect to the proxy on the port I designated at
avtest.domain.com, it then prompts me for AD credentials and this works all
fine. However when it then goes to avupdate.domain.com it goes back out on
to the internet and loops back into the firewall to get to the address
(proxy and update server are obviously on same network....) despite the
proxy having an internal link and internal DNS to the update server. So -
what I actually want is that I connect over the net to the proxy,
authenticate with AD credentials and the server then acts as a true inbound
proxy and takes me to the internal address of the avupdate.domain.com server
instead of looping back out to get to it over an internet connection. I
could of course cheat and modify my firewall rule to only allow traffic from
said proxy's external address but I would really rather do this the correct
way.
Hope this makes sense as it does seem somewhat rambling!
Cheers
Si
Please read the documentation on correctly configuring "Reverse Proxy"
at http://wiki.squid-cache.org/SquidFaq/ReverseProxy
under "How do I set it up?"
With correctly configured cache_peer lines, DNS never becomes involved
and all requests go to the pre-configured internal servers just fine.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1
FMI Limited
www.fmi.co.uk
Confidentiality: The information in this email and any attachments is confidential and may be legally privileged. It is intended solely for the addressee. Access to this by anyone else is unauthorised and if you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our Clients, any opinions, quotations, and advice are subject to our standard terms and conditions.
Security Warning: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and observe this lack of security when in e-mail contact with us. E-mail access is provided by FMI for business purposes and FMI will monitor and, in some cases, read outgoing and incoming emails.
Viruses: Although we have taken steps to increase the likelihood that this e-mail and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free and note that anti-virus software does not always block all viruses.
FMI Limited - Registered in England and Wales with number 1738299. VAT GB 381 8999 84
Registered office: Queens House, 1 Leicester Place, Leicester Sq, London, WC2H 7BP
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1
