f010f@xxxxxxx wrote:
Hi all,
I hope you guys can help me as I am still confuse on how squid
configuration works.
I hosted 3 domains in one server which IP addr is 10.0.0.80.
Basically, I am trying to do reverse proxy and virtual host scenario:
If people browse public.company.com
then it goes to 10.0.0.80 port 80
If people browse private.company.com
then it goes to to 10.0.0.80 port 91
If people browse www.company.com
then it goes to 10.0.0.80 port 80
except people from 192.168.1.0/24 which take them to 10.0.0.80 port 91
I still can not do the scenario above. Can you guys help me with my
squid.conf please where do I do wrong?
Here is my squid.conf and I am using squid-3.1.0.13
http_port 80 accel defaultsite=www.company.com vhost
cache_peer 10.0.0.80 port 80 0 no-query originserver name=pubAccel
cache_peer 10.0.0.80 port 91 0 no-query originserver name=prvAccel
acl pub_sites dstdomain public.company.com
acl prv_sites dstdomain private.company.com
acl www_sites dstdomain www.company.com
acl internal src 192.168.1.0/24
http_access allow pub_sites
http_access allow prv_sites
http_access allow www_sites
cache_peer_access pubAccel allow pub_sites
cache_peer_access pubAccel deny all
cache_peer_access prvAccel allow prv_sites
cache_peer_access prvAccel deny all
You have already specified "deny all" for both prvAccel and pubAccel.
The following lines will never be tested.
cache_peer_access pubAccel allow pub_sites
cache_peer_access prvAccel allow internal
cache_peer_access pubAccel deny all
For them to work they need to be placed above the respective "deny all"
lines and matching your access requirements.
For example:
# If people browse public.company.com ...
cache_peer_access pubAccel allow pub_sites !internal
# If people browse www.company.com ... except people from internal
cache_peer_access pubAccel allow www_sites !internal
# nobody else
cache_peer_access pubAccel deny all
# If people browse private.company.com ...
cache_peer_access prvAccel allow prv_sites
# If people browse www.company.com ... from internal
cache_peer_access pubAccel allow internal www_sites
# nobody else
cache_peer_access prvAccel deny all
One thing I would suggest: also preventing private.* to be accessed from
outside the company.
Which changes the first prvAccel rule to:
cache_peer_access prvAccel allow internal prv_sites
# Below standard configuration from Squid 3.1.0.13
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_port 3128
For only a reverse proxy you do not need the standard configuration above.
Simply do:
http_access deny all
hierarchy_stoplist cgi-bin ?
coredump_dir /usr/local/squid/var/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# End squid.conf
Thanks in advance for your help
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19
Current Beta Squid 3.1.0.13
