Paul Dowman wrote:
Hi, l'm setting up squid to act as a web accelerator only, it will sit at www.mydomain.com and forward to several web servers (which are behind the firewall and not publicly accessible). As I understand it, the following config forwards ALL requests to one of the three cache_peer web servers, including a "Host:" HTTP header, and there's no need for using acl's. Is that correct? Are there any security issues here? Thanks. ############ http_port 80 accel vhost collapsed_forwarding on acl all src 0/0 http_access allow all cache_peer 10.x.x.1 parent 80 0 no-query originserver login=PASS round-robin cache_peer 10.x.x.2 parent 80 0 no-query originserver login=PASS round-robin cache_peer 10.x.x.3 parent 80 0 no-query originserver login=PASS round-robin ############
The ACLs seen in accelerator config are there to prevent an overload of bogus requests being flooded back to the web servers. I'd would recommend listing the accelerated domains as per the FAQ example config.
There are broken client apps that don't send Host: header. The "http_port ... defaultsite=" option is provided to fix-up such breakage so the web servers alway get a Host:. Without it the broken requests get through to the web servers.
Otherwise that should be fine for a pure reverse proxy. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
