Hi Ron thanks again for your reply
No I think you're a little confused here
I have one network at the moment and is the 192.168.1.0
My Router and proxy are both on the same machine which is 192.168.1.4
My backend server is on 192.168.1.3
Two different machines but on the same network
However if I use this
http_port 80 accel vhost defaultsite=www.mysite.org
cache_peer 192.168.1.3 parent 81 originserver name=whatever
But the probleme is elsewhere because if I use
http_port 3128 vhost I can access my website both from inside my network and
from the internet
If I use
http_port 3128 without the vhost my network clients can access the
"Internet" but I can't access my websites (backend server)
This is the situation right now.
I hope this slightly clearer
Regards
Adam
----- Original Message -----
From: "Ron Wheeler" <rwheeler@xxxxxxxxxxxxxxxxxxxxx>
To: "Adam@Gmail" <adbasque@xxxxxxxxxxxxxx>
Cc: <squid-users@xxxxxxxxxxxxxxx>
Sent: Sunday, March 28, 2010 10:21 PM
Subject: Re: Help with accelerated site
You seemed to have missed my note quoted below.
<quote>
I would suggest to stick with the accelerator and let your inside guys hit
your server on port 80.
1) Put your backend server back on port 80
http_port 80 accel vhost defaultsite=www.mysite.org cache_peer
192.168.1.3 parent 80 .... whatever I had in my config should be fine once
you change my 81 to 80. I needed to use 81 since I had both apache and
squid on the same machine. You do not have this problem.
</quote>
This presumes that your inside guys are on the 192.168.3.x network. They
do not need proxying to reach the 192.168.3.1 server since it is on the
same subnet. I assume that they do not need proxying to get outside since
you router probably handles that for them.
I am not sure how the outside world reaches the Squid proxy but I assume
that you have a NAT in the router that gets them from a public Internet
address on the router to the Squid server on port 80.
Do you really need proxying for your inside guys or are they perfectly
happy going out to the public Internet normally though your router and can
directly address the back-end server without Squid if the backend httpd is
on port 80?
The only case where you need to use port 81 is where squid and the httpd
server are on the same machine and you want port 80 to belong to squid and
squid needs to pass its requests to httpd on another port.
3128 is for proxying internal browsers on a non-routable network
192.168.x.x where you do not have a router that is NATing the inside guys
for you. Squid will handle the mapping of outgoing requests and responses
by giving the Internet a routable address. It requires that the inside
browsers be configured to use a proxy and not try to bang on port 80 but
use 3128 on the proxy for all requests.
It does not seem that you need this since your router likely does this for
you.
I suspect that you only have to change the 2 lines in the out-of-the-box
squid to get this going.
Ron
Adam@Gmail wrote:
Hi Again,
Well my local network can't access the Internet since I had to put the
vhost option on the http_port 3128
They can access my sites internally not a problem, but the problem is
they can no longer access the internet
I have kept the original config
The only thing I have changed was adding the acceleration mode for my
backend server (sites) and add the vhost option after
the http_port 3128
like this
http_port 3128 vhost
I hope that makes more sense
Regards
Adam
----- Original Message ----- From: "Ron Wheeler"
<rwheeler@xxxxxxxxxxxxxxxxxxxxx>
To: "Adam@Gmail" <adbasque@xxxxxxxxxxxxxx>; <squid-users@xxxxxxxxxxxxxxx>
Sent: Sunday, March 28, 2010 8:40 PM
Subject: Re: Help with accelerated site
Are you trying to build an accellerator for your site or a proxy.
Pick one and get it to work.
The config that I sent you is an accelerator.
I would suggest to stick with the accelerator and let your inside guys
hit your server on port 80.
1) Put your backend server back on port 80
http_port 80 accel vhost defaultsite=www.mysite.org
cache_peer 192.168.1.3 parent 80 .... whatever I had in my config should
be fine once you change my 81 to 80. I needed to use 81 since I had
both apache and squid on the same machine. You do not have this problem.
This way your inside guys are still hitting your backend the old
fashioned way and your clients are coming through your front door with a
caching proxy.
Get rid of the acl stuff until you get it going and then decide how to
block people.
Check my acl settings but I do not recall doing anything to control
access.
KISS
Good luck
Ron
Adam@Gmail wrote:
Hi Amos,
Thanks for your time
at the moment my config is as follow it's working as far is the
acceleration mode is concerned
http_port 80 accel vhost defaultsite=www.mysite.org
cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main
acl out_sites dstdomain www.mysite.org www.mysite.com
www.mysite.net
http_access allow our_sites
cache_peer_access main allow our_sites
cache_peer_access deny all
I can access my 3 websites from inside my network and from the
"Internet" no problems
apart for it being a little slower than before, but it's working
The problem I have right now is None of clients can access the internet
The error as before "The requested URL could not be retrieved"
here is the other part of config
acl manager proto cache object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8.0.0.0/32
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl our_network 192.168.1.0/24
http_access allow manager localhost
http_access deny manager
http_access allow localnet
http_access deny all
http_access allow our_network
http_access deny all
htcp_access allow localnet
htcp_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 vhost (note if I remove the vhost I won't access my
websites) if I leave it I can't access the internet from my local
network)
No "Bind" error at this time
I hope that would help see if there's anything wrong with the
configuration
Regards
Adam
----- Original Message ----- From: "Amos Jeffries"
<squid3@xxxxxxxxxxxxx>
To: <squid-users@xxxxxxxxxxxxxxx>
Sent: Sunday, March 28, 2010 8:06 AM
Subject: Re: Help with accelerated site
Adam@Gmail wrote:
Hi Ron,
Thanks for your reply and thanks for your time
This is perhaps the 10th time I uninstalled it and reinstalled it
And this is the very first time I could access my websites
internally, externally nothing yet, I am still getting the error
This error:
The following error was encountered while trying to retrieve the URL:
/
... appearing in a reverse-proxy setup means Squid received a
reverse-proxy/accelerated request intended for a web server on a port
without "accel" flag configured.
Please read all my notes below right to the end of the email before
changing anything. I'm commenting on each fine detail and what it
means...
My clients can all access the internet, Yes I am sure that there's a
misconfiguration in my config file but I followed every tutorial
trying desperately to get something up, after a while you're
saturated and very tired, bouncing from on issue to another
... so, we need you to stop bouncing and concentrate on one issue at a
time. When we are satisfied that you are understanding that one move
on ...
I checked and triple checked my iptables rules everything looks fine
so far
For instance, my backend server is listening right now on port 81,
why did I put it on port 81 because I was getting
Cannot bind to .... in the log file
so I changed it to 81 and I am getting the same error, there's
absolutely nothing else in my entire network that is using that port
So why can't it bind to port 81? You see the type of things that can
drive you through the wall
at the moment I have only three machines
A is Running the Proxy and the Router (IPTABLES)
B is the back end server
C is the DNS/DHCP servers
And only the backend server that is currently listening on port 81
and before that it was listening on port 80
no matter which port I put in my config I get the "Cannot bind to
...." in the log file
... from the below I'd guess you are changing both the Squid http_port
and the apache listening "Port" entries at the same time in your
tests.
here is a bit of my config
*********************************************************************
http_port 192.168.1.3:81 accel parent vhost
defaultsite=www.mysite.org
The tutorial and advice so far as I've seen has been to place Squid
listening on "http_port 80 accel vhost" and apache listening on "Port
81".
Okay stop here. Check that. Make it so. Restart both software if
needed.
If another "bind" error comes up during the restart let us know right
now.
Continue reading...
cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main
Those two lines are (or 'were' right?) a loop.
Squid listening on 192.168.1.3 port 81 is to fetch requests from
source server listening on 192.168.1.3 port 81.
What you should have after my suggested change above is:
Squid listening on port 80 fetched from server on port 81.
Test this:
fetch a request for http://192.168.1.3:81/
EXPECTED: results in the apache "it works", or your <VirtualHost *>
site.
fetch a request for http://192.168.1.3/
EXPECTED: results in the apache "it works", or your <VirtualHost*>
site. Received through Squid.
(using wget, curl, or squidclient to display the response errors the
second fetch there should contains Via: header which is not present in
the first fetch.)
IF (and only if) there was no "bind" error, and the headers check
above fails to show a Via: header properly. We work on that in next
email...
acl dstdomain our_sites dstdomain www.mysite1.org www.mysite2.com
www.mysite3.net
http_allow_access main allow our_sites
http_peer_access main deny all
At the moment all of these sites are running on the same server
(virtualhost)
The only thing I am not sure of is probably the cache_peer directive
"cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main"
If it's wrong then I don't know what to put in there
The IP address and port of your Apache server.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
Current Beta Squid 3.1.0.18