-----Original Message-----
From: Amos Jeffries
Sent: Tue, Sep 15, 2009 8:45 pm
Subject: Re: Reverse proxy and virtual host question
f0...@xxxxxxx wrote:
Hi all,
> I hope you guys can help me as I am still confuse on how squid >
configuration works.
> I hosted 3 domains in one server which IP addr is 10.0.0.80.
> Basically, I am trying to do reverse proxy and virtual host
scenario:
> If people browse public.company.com
then it goes to 10.0.0.80 port 80
> If people browse private.company.com
then it goes to to 10.0.0.80 port 91
> If people browse www.company.com
then it goes to 10.0.0.80 port 80
except people from 192.168.1.0/24 which take them to 10.0.0.80 port
91
> I still can not do the scenario above. Can you guys help me with my
squid.conf please where do I do wrong?
> Here is my squid.conf and I am using squid-3.1.0.13
> http_port 80 accel defaultsite=www.company.com vhost
> cache_peer 10.0.0.80 port 80 0 no-query originserver name=pubAccel
cache_peer 10.0.0.80 port 91 0 no-query originserver name=prvAccel
> acl pub_sites dstdomain public.company.com
acl prv_sites dstdomain private.company.com
acl www_sites dstdomain www.company.com
> acl internal src 192.168.1.0/24
> http_access allow pub_sites
http_access allow prv_sites
http_access allow www_si
tes
> cache_peer_access pubAccel allow pub_sites
cache_peer_access pubAccel deny all
> cache_peer_access prvAccel allow prv_sites
cache_peer_access prvAccel deny all
You have already specified "deny all" for both prvAccel and pubAccel.
The following lines will never be tested.
cache_peer_access pubAccel allow pub_sites
cache_peer_access prvAccel allow internal
cache_peer_access pubAccel deny all
For them to work they need to be placed above the respective "deny all"
lines and matching your access requirements.
For example:
# If people browse public.company.com ...
cache_peer_access pubAccel allow pub_sites !internal
# If people browse www.company.com ... except people from internal
cache_peer_access pubAccel allow www_sites !internal
# nobody else
cache_peer_access pubAccel deny all
# If people browse private.company.com ...
cache_peer_access prvAccel allow prv_sites
# If people browse www.company.com ... from internal
cache_peer_access pubAccel allow internal www_sites
# nobody else
cache_peer_access prvAccel deny all
One thing I would suggest: also preventing private.* to be accessed
from outside the company.
Which changes the first prvAccel rule to:
cache_peer_access prvAccel allow internal prv_sites
A
0
> # Below standard configuration from Squid 3.1.0.13
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_port 3128
For only a reverse proxy you do not need the standard configuration
above.
Simply do:
http_access deny all
hierarchy_stoplist cgi-bin ?
coredump_dir /usr/local/squid/var/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/c
gi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
> # End squid.conf
> Thanks in advance for your help
Amos
-- Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19
Current Beta Squid 3.1.0.13
-----End Message-----
Thank you so much for your time.... I followed your instruction and it
worked
