Re: Reverce proxy setup with neighboor support

"Nikolaos Pavlidis" <Nikolaos.Pavlidis@xxxxxxxxxx> · Thu, 17 Dec 2009 15:49:30 +0000

Hello all,

Many thanks for the responses so far, I gave it a go without much
success unfortunatelly.

The errors:

2009/12/17 15:20:00| icmpSend: send: (111) Connection refused
2009/12/17 15:20:00| Closing Pinger socket on FD 18
2009/12/17 15:20:02| WARNING: Forwarding loop detected for:
Client: <cache1_IP> http_port: <cache2_IP>:80

On Thu, 2009-12-17 at 10:00 +1300, Amos Jeffries wrote:
> On Wed, 16 Dec 2009 11:50:26 +0000, "Nikolaos Pavlidis"
> <Nikolaos.Pavlidis@xxxxxxxxxx> wrote:
> > Hello all,
> > 
> > I figured the easiest way to describe what I am trying to do is to...
> > draw it. First of all pardon my ignorance since I am relatively new to
> > squid. Any help will be much appreciated.
> > 
> > 
> > The Problem:
> > 
> > Dec  9 17:42:35 cache2 squid[27234]: WARNING: Forwarding loop detected
> > for: Client: <cache1_IP> http_port: <cache2_IP>:3128 GET
> > internal://site1.domain.com/squid-internal-dynamic/netdb HTTP/1.0  Via:
> > 1.0 site1.domain.com:80 (squid)  X-Forwarded-For: unknown  Host:
> > <cache2_IP>:3128  Cache-Control: max-age=259200  Connection:
> > keep-alive   
> > 
> > 
> > 
> > 
> > Reverse proxy Setup:
> > 
> > 		O F5 load balanced vhost 
> > 		|  (DNS A name resolving site1.domain.com
> > 		|			 site2.domain.com
> > 		|			 site3.domain.com etc.)
> > 		|
> > 	|---------------|
> > 	|		|
> > 	|		|
> > cache1	O---------------O cache2
> > 		|
> > 		|
> > 		|
> > 		|
> > 	O---------------O--------------O
> > 	web1		web2		web3
> > 	site1		site3		site4
> > 	site2				site5
> > 
> > Desired path:
> > 1. Request for site1
> > 2. F5 load balances request to cache1
> > 3. cache1 checks own cache
> > 4. if NO-HIT check cache2
> > 5. else go directly to web1
> > 
> 
> Excellent. This is a basic reverse-proxy with virtual hosting.
> 
> The error you mentioned earlier indicates:
> 
>  1. Request for site1
>  2. F5 load balances request to cache1
>  3. cache1: checks own cache
>  4. cache1: if NO-HIT check cache2
>  5. cache2: if NO-HIT check cache1
>  6. cache1: if NO-HIT check cache2 ... FAIL!!
>  ...
> 
> 
> > Server:
> > 64bit SLES 11
> > 
> > Configuration file (what I have done so far):
> > 
> > # NETWORK OPTIONS
> > #
> >
> -----------------------------------------------------------------------------
> > http_port 80 accel defaultsite=site1.domain.com vhost
> > http_port 3128 accel defaultsite=site1.domain.com vhost
> 
> There should be no need for port 3128 to be reverse-proxy as well.
> Dedicate that or another port to proxy-proxy communications.
> 

Totally right, removed the whole line
"http_port 3128 accel defaultsite=site1.domain.com vhost"

> > visible_hostname site1.domain.com
> > offline_mode off
> > 
> > # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> > #
> >
> -----------------------------------------------------------------------------
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
> > no_cache deny QUERY
> > 
> > # OPTIONS WHICH AFFECT THE CACHE SIZE
> > #
> >
> -----------------------------------------------------------------------------
> > cache_mem 512 MB
> > maximum_object_size 32 KB
> > maximum_object_size_in_memory 64 Kb
> > 
> > # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> > #
> >
> -----------------------------------------------------------------------------
> > cache_dir aufs /var/cache/squid 61440 16 256
> > emulate_httpd_log on
> > logfile_rotate 100
> > logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
> > "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> > access_log /var/log/squid/access.log combined
> > cache_log /var/log/squid/cache.log
> > cache_store_log /var/log/squid/store.log
> > debug_options ALL,1,33,3,20,3
> > 
> > # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> > #
> >
> -----------------------------------------------------------------------------
> > auth_param basic children 10
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> > 
> > # OPTIONS FOR TUNING THE CACHE
> > #
> >
> -----------------------------------------------------------------------------
> > refresh_pattern ^ftp:           1440    20%     10080
> > refresh_pattern ^gopher:        1440    0%      1440
> > refresh_pattern -i \.css        1440    50%     2880 override-expire
> > refresh_pattern -i \.swf        1440    50%     2880 ignore-reload
> > override-expire
> > refresh_pattern .               1440    50%     4320 override-expire
> > 
> > # ACCESS CONTROLS
> > #
> >
> -----------------------------------------------------------------------------
> > 
> > acl all src all
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80          # http
> > acl Safe_ports port 21          # ftp
> > acl Safe_ports port 443 563     # https, snews
> > acl Safe_ports port 70          # gopher
> > acl Safe_ports port 210         # wais
> > acl Safe_ports port 1025-65535  # unregistered ports
> > acl Safe_ports port 280         # http-mgmt
> > acl Safe_ports port 488         # gss-http
> > acl Safe_ports port 591         # filemaker
> > acl Safe_ports port 777         # multiling http 
> > acl purge method PURGE
> > acl CONNECT method CONNECT
> > acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
> > upgrade_http0.9 deny shoutcast
> > acl apache rep_header Server ^Apache
> > broken_vary_encoding allow apache
> > 
> 
> Part 1 of the problem:
> 
> You are running a reverse-proxy. All of these initial http_access rules
> are forward-proxy security restrictions. In the case of the "allow all" its
> attempting to bypass the regular forward-proxy config by turning it into an
> open proxy instead.
> 
> The reverse proxy config (your "UNIVERSITY SERVICES ENTRIES" settings)
> need to be set right here above the forward-proxy config.
> 
> 
> > http_access allow manager localhost
> > http_access deny manager
> > http_access allow purge localhost
> > http_access deny purge
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > http_access allow all
> 
> With the reverse-proxy config in the right place you can turn the basic
> security back on by changing that above line to "deny all"
> 
> > http_reply_access allow all
> > 
> > icp_access allow all
> > 
> > ##########################################
> > ###### UNIVERSITY SERVICES ENTRIES  ######
> > ##########################################
> > 
> > cache_peer <web1_IP> parent 80 0 no-query originserver name=web1
> > cache_peer <cache2_IP> parent 3128 3130 proxy-only default
> 
> Part 2 of the problem:
>  The above config indicates that cache2 is the primary web server (on port
> 3128) with web1 as a backup source.
> 
> I believe your setup needs cache1 and cache2 in a sibling relationship as
> 'alternative' backup sources of data to each other. Siblings are checked
> before parents but a failure at sibling is not fatal to locating the file.
> 
> Also requests received in port 3128 (ie from a sibling) should be denied
> forwarding to the sibling.
> 
> > acl sites_web1 dstdomain site1.domain.com site2.domain.com
> > http_access allow sites_web1
> > cache_peer_access web1 allow sites_web1
> > cache_peer_access web1 deny all
> > 
Ok I gave it a go, looks like that:

# reverce-proxy configuration
#
-----------------------------------------------------------------------------

cache_peer <web1_IP> parent 80 0 no-query originserver name=web1
cache_peer <cache2_IP> sibling 80 3130 proxy-only
acl sites_www dstdomain site1.domain.com site2.domain.com
acl from_cache2 src <cache2_IP>
cache_peer_access cache2 deny from_cache2
http_access allow sites_web1
cache_peer_access web1 allow sites_web1
cache_peer_access web1 deny all

# forward-proxy security restrictions
#
-----------------------------------------------------------------------------

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

http_reply_access allow all
acl cache2 src <cache2_IP>
icp_access allow cache2
icp_access deny all

> > # ADMINISTRATIVE PARAMETERS
> > #
> >
> -----------------------------------------------------------------------------
> > 
> > shutdown_lifetime 3 second
> > httpd_suppress_version_string on
> > cache_mgr cachemgr@xxxxxxxxxx
> > 
> > # ICP OPTIONS
> > #
> >
> -----------------------------------------------------------------------------
> > 
> > log_icp_queries on
> > 
> > # MISCELLANEOUS
> > #
> >
> -----------------------------------------------------------------------------
> > 
> > memory_pools_limit 1024 MB
> > 
> > # DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
> > #
> >
> -----------------------------------------------------------------------------
> > 
> > coredump_dir /var/spool/squid
> > 
> > -------------------------EO Configuration file -------------------------
> > 
> > Any comments on the configuration would be much appreciated. Thank you
> > in advance. 
> > 
> > Kind regards,
> > 
> > Nik

Many thanks in advance for all your help.

Kind regards,

Nik
-- 
Nikolaos Pavlidis BSc (Hons) MBCS NCLP CEH CHFI
Systems Administrator
University Of Bedfordshire
Park Square LU1 3JU
Luton, Beds, UK
Tel: +441582489277 (Ext 2277)