Hi there. Currently we are running squid 2.5.STABLE3 under RHEL3. However, this week our ssl certificate will expire and the new certificate is a chained certificate, which is not supported by that version of squid. Also it is an old server in need of an upgrade, so we are trying to configure squid 2.6.STABLE21 (running under RHEL 5.3) as a reverse proxy, but after reading the documentation, the FAQ and many emails from the email lists we still can't figure out what we are doing wrong. - We have 4 web sites with public IPs x.y.z.47, x.y.z.48, x.y.z.49 and x.y.z.50. Each web site is hosted on a different server with Ips x.y.z.247, x.y.z.248, x.y.z.249 and x.y.z.250 (x.y.z.47 goes to x.y.z.247, etc) Our DNS server runs on the same box as squid. - x.y.z.48 is using ssl connections. - With the current configuration www.mywebsite.ca and www1.mywebsite.ca work, but when trying to go to the other websites we get to www.mywebsite.ca instead. If we remove the # from the cache_peer_domain lines then the only website accessible is www1.mywebsite.ca. The other websites time out and we get this error message: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.mywebsite.ca/ The following error was encountered: * Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: * The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable. Your cache administrator is root. Generated Tue, 19 May 2009 17:16:35 GMT by www1.mywebsite.ca (squid/2.6.STABLE21) - It's our understanding that squid uses /etc/squid/hosts to have the hostnames redefined and to get traffic to the backend servers. So if the client requests www.mywebsite.ca, with dns record is x.y.z.47, squid uses the hosts file to resolve www.mywebsite to x.y.z.247. Is this correct? - We also want to avoid people connecting to the websites using any Ips (either x.y.z.47, .48, etc or x.y.z.247, .248, etc) Below you can find the configuration files. Please let me know if you need more information. I'd really appreciate if you could point me in the right direction. #Squid.conf [version 2.5.STABLE3]: #----------------------------------------------------- http_port 80 https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem key=/etc/squid/certs/ww1key.pem version=1 icp_port 0 cache_dir null /tmp acl all_no_cache src 0/0 no_cache deny all_no_cache #Path to the host file hosts_file /etc/squid/hosts httpd_accel_host virtual httpd_accel_uses_host_header on visible_hostname www1.mywebsite.ca acl all src 0.0.0.0/0.0.0.0 acl mynet src x.y.z.0/255.255.255.0 http_access allow all http_access allow mynet http_access deny all #squid.conf version 2.6.STABLE21 #------------------------------------------------- acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl CONNECT method CONNECT acl mynet src x.y.z.0/255.255.255.0 http_access allow all http_access allow mynet http_access allow localhost http_access deny all icp_access allow all http_port 80 accel vhost https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem key=/etc/squid/certs/ww1key.pem version=1 accel vhost cache_peer x.y.z.247 parent 80 0 no-query no-digest originserver name=www_mywebsite cache_peer x.y.z.248 parent 80 0 no-query no-digest originserver name=www1_mywebsite cache_peer x.y.z.249 parent 80 0 no-query no-digest originserver name=www_mywebsiteusa cache_peer x.y.z.250 parent 80 0 no-query no-digest originserver name=webmail #cache_peer_domain www_mywebsite www.mywebsite.ca #cache_peer_domain www1_mywebsite www1.mywebsite.ca #cache_peer_domain www_mywebsiteusa www.mywebsiteusa.com #cache_peer_domain webmail web.mywebsite.ca #acl acl_www_mywebsite dstdomain www.mywebsite.ca #acl acl_www1_mywebsite dstdomain www1.mywebsite.ca #acl acl_www_mywebsiteusa dstdomain www.mywebsiteusa.com #acl acl_webmail dstdomain webmail.mywebsite.ca hierarchy_stoplist cgi-bin ? cache_dir null /tmp access_log /var/log/squid/access.log squid acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache visible_hostname www1.mywebsite.ca hosts_file /etc/squid/hosts coredump_dir /var/spool/squid #/etc/squid/hosts ----------------------------------------------------------- x.y.z.247 www.mywebsite.ca x.y.z.248 www1.mywebsite.ca x.y.z.249 www.mywebsiteusa.com x.y.x.250 webmail.mywebsite.ca Thanks a lot. Joaquin Puga.
