Thanks Amos,
My doubts are clear now.
Amos Jeffries wrote:
Mario Remy Almeida wrote:
Hi All,
Recently I configure Squid as reverse proxy for back-end apache
server running Drupal.
acl airarabia_web dstdomain www.airarabia.com
cache_peer 10.4.171.6 parent 80 0 no-query originserver
name=airarabia_peer2 round-robin forceddomain=www.airarabia.com default
# cache_peer 10.4.171.7 parent 80 0 no-query originserver
name=airarabia_peer1 round-robin forceddomain=www.airarabia.com
default # not yet implemented
cache_peer_access airarabia_peer2 allow airarabia_web
cache_peer_access airarabia_peer2 deny all
Problem 1:-
With Apache I had connection Limit of 20 per IP (mod_limitipconn.so)
I need to achieve this with squid reverse proxy.
please let me know if below configurations is correct.
You should not really need this with Squid. FD in Squid are very
lightweight and do not block whole threads like they do in Apache.
===========================
acl connectionLimit maxconn 20
Missing:
http_access deny connectionLimit
acl airarabia_web dstdomain www.airarabia.com
cache_peer 10.4.171.6 parent 80 0 no-query originserver
name=airarabia_peer2 round-robin forceddomain=www.airarabia.com default
cache_peer_access airarabia_peer2 allow airarabia_web connectionLimit
The above will cause denial if LESS than 20 connections are made.
Seems strange until you consider that connectionLimit is only true
when >20 connections are present from a single IP. Which will cause
the following line to happen:
cache_peer_access airarabia_peer2 deny all
===========================
Problem 2:-
After configuring reverse proxy, The apache back-end server gets the
IP of the reverse proxy and not of the actual clients.
Your problem description describes the config:
forwarded_for on
squid.conf
===========================
follow_x_forwarded_for allow airarabia_web
follow_x_forwarded_for deny all
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on
===========================
I will work on HOW TO for mod_extract_forwarded, but mean time if
someone can verify if the above squid.conf for problem 2 is correct?
It does not match your problem description. It configures Squid to log
and run ACL tests based on the remote client IP outside your trusted
edge.
Useful only for hierarchies and clusters of proxies who need to ignore
the internal relay chain in their security tests.
Amos
------------------------------------------------------------------------------
Disclaimer and Confidentiality
This material has been checked for computer viruses and although none has
been found, we cannot guarantee that it is completely free from such problems
and do not accept any liability for loss or damage which may be caused.
Please therefore check any attachments for viruses before using them on your
own equipment. If you do find a computer virus please inform us immediately
so that we may take appropriate action. This communication is intended solely
for the addressee and is confidential. If you are not the intended recipient,
any disclosure, copying, distribution or any action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful. The views
expressed in this message are those of the individual sender, and may not
necessarily be that of ISA.
