Re: Reverce proxy setup with neighboor support

Amos Jeffries <squid3@xxxxxxxxxxxxx> · Thu, 17 Dec 2009 10:00:50 +1300

On Wed, 16 Dec 2009 11:50:26 +0000, "Nikolaos Pavlidis"
<Nikolaos.Pavlidis@xxxxxxxxxx> wrote:
> Hello all,
> 
> I figured the easiest way to describe what I am trying to do is to...
> draw it. First of all pardon my ignorance since I am relatively new to
> squid. Any help will be much appreciated.
> 
> 
> The Problem:
> 
> Dec  9 17:42:35 cache2 squid[27234]: WARNING: Forwarding loop detected
> for: Client: <cache1_IP> http_port: <cache2_IP>:3128 GET
> internal://site1.domain.com/squid-internal-dynamic/netdb HTTP/1.0  Via:
> 1.0 site1.domain.com:80 (squid)  X-Forwarded-For: unknown  Host:
> <cache2_IP>:3128  Cache-Control: max-age=259200  Connection:
> keep-alive   
> 
> 
> 
> 
> Reverse proxy Setup:
> 
> 		O F5 load balanced vhost 
> 		|  (DNS A name resolving site1.domain.com
> 		|			 site2.domain.com
> 		|			 site3.domain.com etc.)
> 		|
> 	|---------------|
> 	|		|
> 	|		|
> cache1	O---------------O cache2
> 		|
> 		|
> 		|
> 		|
> 	O---------------O--------------O
> 	web1		web2		web3
> 	site1		site3		site4
> 	site2				site5
> 
> Desired path:
> 1. Request for site1
> 2. F5 load balances request to cache1
> 3. cache1 checks own cache
> 4. if NO-HIT check cache2
> 5. else go directly to web1
> 

Excellent. This is a basic reverse-proxy with virtual hosting.

The error you mentioned earlier indicates:

 1. Request for site1
 2. F5 load balances request to cache1
 3. cache1: checks own cache
 4. cache1: if NO-HIT check cache2
 5. cache2: if NO-HIT check cache1
 6. cache1: if NO-HIT check cache2 ... FAIL!!
 ...

> Server:
> 64bit SLES 11
> 
> Configuration file (what I have done so far):
> 
> # NETWORK OPTIONS
> #
>
-----------------------------------------------------------------------------
> http_port 80 accel defaultsite=site1.domain.com vhost
> http_port 3128 accel defaultsite=site1.domain.com vhost

There should be no need for port 3128 to be reverse-proxy as well.
Dedicate that or another port to proxy-proxy communications.

> visible_hostname site1.domain.com
> offline_mode off
> 
> # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> #
>
-----------------------------------------------------------------------------
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> 
> # OPTIONS WHICH AFFECT THE CACHE SIZE
> #
>
-----------------------------------------------------------------------------
> cache_mem 512 MB
> maximum_object_size 32 KB
> maximum_object_size_in_memory 64 Kb
> 
> # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> #
>
-----------------------------------------------------------------------------
> cache_dir aufs /var/cache/squid 61440 16 256
> emulate_httpd_log on
> logfile_rotate 100
> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid/access.log combined
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> debug_options ALL,1,33,3,20,3
> 
> # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> #
>
-----------------------------------------------------------------------------
> auth_param basic children 10
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> 
> # OPTIONS FOR TUNING THE CACHE
> #
>
-----------------------------------------------------------------------------
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i \.css        1440    50%     2880 override-expire
> refresh_pattern -i \.swf        1440    50%     2880 ignore-reload
> override-expire
> refresh_pattern .               1440    50%     4320 override-expire
> 
> # ACCESS CONTROLS
> #
>
-----------------------------------------------------------------------------
> 
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443 563     # https, snews
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http 
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
> upgrade_http0.9 deny shoutcast
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> 

Part 1 of the problem:

You are running a reverse-proxy. All of these initial http_access rules
are forward-proxy security restrictions. In the case of the "allow all" its
attempting to bypass the regular forward-proxy config by turning it into an
open proxy instead.

The reverse proxy config (your "UNIVERSITY SERVICES ENTRIES" settings)
need to be set right here above the forward-proxy config.

> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow all

With the reverse-proxy config in the right place you can turn the basic
security back on by changing that above line to "deny all"

> http_reply_access allow all
> 
> icp_access allow all
> 
> ##########################################
> ###### UNIVERSITY SERVICES ENTRIES  ######
> ##########################################
> 
> cache_peer <web1_IP> parent 80 0 no-query originserver name=web1
> cache_peer <cache2_IP> parent 3128 3130 proxy-only default

Part 2 of the problem:
 The above config indicates that cache2 is the primary web server (on port
3128) with web1 as a backup source.

I believe your setup needs cache1 and cache2 in a sibling relationship as
'alternative' backup sources of data to each other. Siblings are checked
before parents but a failure at sibling is not fatal to locating the file.

Also requests received in port 3128 (ie from a sibling) should be denied
forwarding to the sibling.

> acl sites_web1 dstdomain site1.domain.com site2.domain.com
> http_access allow sites_web1
> cache_peer_access web1 allow sites_web1
> cache_peer_access web1 deny all
> 
> # ADMINISTRATIVE PARAMETERS
> #
>
-----------------------------------------------------------------------------
> 
> shutdown_lifetime 3 second
> httpd_suppress_version_string on
> cache_mgr cachemgr@xxxxxxxxxx
> 
> # ICP OPTIONS
> #
>
-----------------------------------------------------------------------------
> 
> log_icp_queries on
> 
> # MISCELLANEOUS
> #
>
-----------------------------------------------------------------------------
> 
> memory_pools_limit 1024 MB
> 
> # DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
> #
>
-----------------------------------------------------------------------------
> 
> coredump_dir /var/spool/squid
> 
> -------------------------EO Configuration file -------------------------
> 
> Any comments on the configuration would be much appreciated. Thank you
> in advance. 
> 
> Kind regards,
> 
> Nik