Joaquín Puga wrote:
Hi there.
Currently we are running squid 2.5.STABLE3 under RHEL3. However, this
week our ssl certificate will expire and the new certificate is a
chained certificate, which is not supported by that version of squid.
Also it is an old server in need of an upgrade, so we are trying to
configure squid 2.6.STABLE21 (running under RHEL 5.3) as a reverse
proxy, but after reading the documentation, the FAQ and many emails
from the email lists we still can't figure out what we are doing
wrong.
- We have 4 web sites with public IPs x.y.z.47, x.y.z.48, x.y.z.49 and
x.y.z.50.
Each web site is hosted on a different server with Ips x.y.z.247,
x.y.z.248, x.y.z.249 and x.y.z.250 (x.y.z.47 goes to x.y.z.247, etc)
Our DNS server runs on the same box as squid.
- x.y.z.48 is using ssl connections.
- With the current configuration www.mywebsite.ca and
www1.mywebsite.ca work, but when trying to go to the other websites we
get to www.mywebsite.ca instead.
If we remove the # from the cache_peer_domain lines then the only
website accessible is www1.mywebsite.ca. The other websites time out
and we get this error message:
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.mywebsite.ca/
The following error was encountered:
* Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any
parent caches. The most likely cause for this error is that:
* The cache administrator does not allow this cache to make direct
connections to origin servers, and
* All configured parent caches are currently unreachable.
Your cache administrator is root.
Generated Tue, 19 May 2009 17:16:35 GMT by www1.mywebsite.ca
(squid/2.6.STABLE21)
- It's our understanding that squid uses /etc/squid/hosts to have the
hostnames redefined and to get traffic to the backend servers.
Hostnames, yes. But not cache_peer names.
So if
the client requests www.mywebsite.ca, with dns record is x.y.z.47,
squid uses the hosts file to resolve www.mywebsite to x.y.z.247. Is
this correct?
If you have an entry like...
cache_peer www.mywebsite parent 80 0 no-query originserver
...then yes, the host file would be used. But you are using the IP in
your cache_peer lines. There is nothing to resolve.
- We also want to avoid people connecting to the websites using any
Ips (either x.y.z.47, .48, etc or x.y.z.247, .248, etc)
Then firewall off the origin servers so they can't be accessed directly,
and set up ACLs that prevent using IP addresses in the URL.
Below you can find the configuration files. Please let me know if you
need more information. I'd really appreciate if you could point me in
the right direction.
#Squid.conf [version 2.5.STABLE3]:
#-----------------------------------------------------
http_port 80
https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem
key=/etc/squid/certs/ww1key.pem version=1
icp_port 0
cache_dir null /tmp
acl all_no_cache src 0/0
no_cache deny all_no_cache
#Path to the host file hosts_file /etc/squid/hosts
httpd_accel_host virtual
httpd_accel_uses_host_header on
visible_hostname www1.mywebsite.ca
acl all src 0.0.0.0/0.0.0.0
acl mynet src x.y.z.0/255.255.255.0
http_access allow all
http_access allow mynet
http_access deny all
#squid.conf version 2.6.STABLE21
#-------------------------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
acl mynet src x.y.z.0/255.255.255.0
http_access allow all
http_access allow mynet
http_access allow localhost
http_access deny all
icp_access allow all
http_port 80 accel vhost
https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem
key=/etc/squid/certs/ww1key.pem version=1 accel vhost
cache_peer x.y.z.247 parent 80 0 no-query no-digest originserver
name=www_mywebsite
You should probably add "forceddomain=www.mywebsite.ca".
cache_peer x.y.z.248 parent 80 0 no-query no-digest originserver
name=www1_mywebsite
Same for the other cache_peers. Define the forceddomain.
cache_peer x.y.z.249 parent 80 0 no-query no-digest originserver
name=www_mywebsiteusa
cache_peer x.y.z.250 parent 80 0 no-query no-digest originserver name=webmail
#cache_peer_domain www_mywebsite www.mywebsite.ca
#cache_peer_domain www1_mywebsite www1.mywebsite.ca
#cache_peer_domain www_mywebsiteusa www.mywebsiteusa.com
#cache_peer_domain webmail web.mywebsite.ca
Since you have a separate front end IP per back end server...
acl www_mywebsite_ip myip x.y.z.47
acl www1_mywebsite_ip myip x.y.z.48
acl www_mywebsiteusa_ip myip x.y.z.49
acl webmail_ip myip x.y.z.50
cache_peer_access allow www_mywebsite www_mywebsite_ip
cache_peer_access deny www_mywebsite
cache_peer_access allow www1_mywebsite www1_mywebsite_ip
cache_peer_access deny www1_mywebsite
cache_peer_access allow www_mywebsiteusa www_mywebsiteusa_ip
cache_peer_access deny www_mywebsiteusa
cache_peer_access allow webmail webmail_ip
cache_peer_access deny webmail
#acl acl_www_mywebsite dstdomain www.mywebsite.ca
#acl acl_www1_mywebsite dstdomain www1.mywebsite.ca
#acl acl_www_mywebsiteusa dstdomain www.mywebsiteusa.com
#acl acl_webmail dstdomain webmail.mywebsite.ca
hierarchy_stoplist cgi-bin ?
cache_dir null /tmp
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
Dump these two lines, and add the following refresh_pattern instead...
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname www1.mywebsite.ca
hosts_file /etc/squid/hosts
coredump_dir /var/spool/squid
The hosts file is superfluous, and might be hindering your setup from
working.
#/etc/squid/hosts
-----------------------------------------------------------
x.y.z.247 www.mywebsite.ca
x.y.z.248 www1.mywebsite.ca
x.y.z.249 www.mywebsiteusa.com
x.y.x.250 webmail.mywebsite.ca
Thanks a lot.
Joaquin Puga.
Chris
