> Hi there. > > Currently we are running squid 2.5.STABLE3 under RHEL3. However, this > week our ssl certificate will expire and the new certificate is a > chained certificate, which is not supported by that version of squid. > Also it is an old server in need of an upgrade, so we are trying to > configure squid 2.6.STABLE21 (running under RHEL 5.3) as a reverse > proxy, but after reading the documentation, the FAQ and many emails > from the email lists we still can't figure out what we are doing > wrong. > > - We have 4 web sites with public IPs x.y.z.47, x.y.z.48, x.y.z.49 and > x.y.z.50. > Each web site is hosted on a different server with Ips x.y.z.247, > x.y.z.248, x.y.z.249 and x.y.z.250 (x.y.z.47 goes to x.y.z.247, etc) > Our DNS server runs on the same box as squid. > > - x.y.z.48 is using ssl connections. > > - With the current configuration www.mywebsite.ca and > www1.mywebsite.ca work, but when trying to go to the other websites we > get to www.mywebsite.ca instead. > > If we remove the # from the cache_peer_domain lines then the only > website accessible is www1.mywebsite.ca. The other websites time out > and we get this error message: > > ERROR > The requested URL could not be retrieved > > While trying to retrieve the URL: http://www.mywebsite.ca/ > > The following error was encountered: > > * Unable to forward this request at this time. > > This request could not be forwarded to the origin server or to any > parent caches. The most likely cause for this error is that: > > * The cache administrator does not allow this cache to make direct > connections to origin servers, and > * All configured parent caches are currently unreachable. > > Your cache administrator is root. > Generated Tue, 19 May 2009 17:16:35 GMT by www1.mywebsite.ca > (squid/2.6.STABLE21) > > - It's our understanding that squid uses /etc/squid/hosts to have the > hostnames redefined and to get traffic to the backend servers. So if > the client requests www.mywebsite.ca, with dns record is x.y.z.47, > squid uses the hosts file to resolve www.mywebsite to x.y.z.247. Is > this correct? Not for reverse proxies. The destination is solely dependant on the 'address/host' value in cache_peer. If its an IP that is used. If its a FQDN then DNS is checked on startup/reconfigure. Hosts file overrides DNS. Your attempted squid.conf using IPs (x.y.z.247 etc) is the best way to go. > > - We also want to avoid people connecting to the websites using any > Ips (either x.y.z.47, .48, etc or x.y.z.247, .248, etc) > see notes inline with your 2.6 config. > > Below you can find the configuration files. Please let me know if you > need more information. I'd really appreciate if you could point me in > the right direction. > > #Squid.conf [version 2.5.STABLE3]: > #----------------------------------------------------- > http_port 80 > https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem > key=/etc/squid/certs/ww1key.pem version=1 > icp_port 0 > cache_dir null /tmp > acl all_no_cache src 0/0 > no_cache deny all_no_cache > #Path to the host file hosts_file /etc/squid/hosts > httpd_accel_host virtual > httpd_accel_uses_host_header on > visible_hostname www1.mywebsite.ca > acl all src 0.0.0.0/0.0.0.0 > acl mynet src x.y.z.0/255.255.255.0 > http_access allow all > http_access allow mynet > http_access deny all > > > #squid.conf version 2.6.STABLE21 > #------------------------------------------------- > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl CONNECT method CONNECT > acl mynet src x.y.z.0/255.255.255.0 > http_access allow all > http_access allow mynet > http_access allow localhost > http_access deny all > icp_access allow all Kill all of the above http_access and icp_access. It's not needed and prevents Squid from halting bad requests early in the process. > > http_port 80 accel vhost > https_port x.y.z.48:443 cert=/etc/squid/certs/ww1.pem > key=/etc/squid/certs/ww1key.pem version=1 accel vhost Correct. > > cache_peer x.y.z.247 parent 80 0 no-query no-digest originserver > name=www_mywebsite > cache_peer x.y.z.248 parent 80 0 no-query no-digest originserver > name=www1_mywebsite > cache_peer x.y.z.249 parent 80 0 no-query no-digest originserver > name=www_mywebsiteusa > cache_peer x.y.z.250 parent 80 0 no-query no-digest originserver > name=webmail Correct. Here is where things go askew slightly. You need some controls to branch the requests to the right peer based on the domain wanted. > > #cache_peer_domain www_mywebsite www.mywebsite.ca > #cache_peer_domain www1_mywebsite www1.mywebsite.ca > #cache_peer_domain www_mywebsiteusa www.mywebsiteusa.com > #cache_peer_domain webmail web.mywebsite.ca They should work. It's the crude hammer way to do it, but simple when you don't have sub-domain clauses (ie *.mywebsite.ca EXCEPT www1.mywebsite.ca and webmail.mywebsite.ca). If you only want www.mywebsite.ca, www1.mywebsite.ca, webmail.mywebsite.ca then these will work for you. Finer control can be gained using ACLs (as you defined below): > > #acl acl_www_mywebsite dstdomain www.mywebsite.ca > #acl acl_www1_mywebsite dstdomain www1.mywebsite.ca > #acl acl_www_mywebsiteusa dstdomain www.mywebsiteusa.com > #acl acl_webmail dstdomain webmail.mywebsite.ca But these only define the ACL lists, they still need to be used: cache_peer_access www_mywebsite allow acl_www_mywebsite cache_peer_access www_mywebsite deny all http_access allow acl_www_mywebsite ... repeat for each peer. ... finish with: http_access deny all > > cache_dir null /tmp Make sure you have as much RAM as possible and set cache_mem to as big a value as you can without causing swapping under peak loads. <snip remainder> > > #/etc/squid/hosts > ----------------------------------------------------------- > x.y.z.247 www.mywebsite.ca > x.y.z.248 www1.mywebsite.ca > x.y.z.249 www.mywebsiteusa.com > x.y.x.250 webmail.mywebsite.ca > > Thanks a lot. > > Joaquin Puga. > HTH Amos
