Search squid archive

Re: squid config help required

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 29/04/11 17:22, Colin Coe wrote:
Hi all

I'm having trouble getting squid to do what I need.

I'm in a test network within a corporate environment.

What I want is this:
1) squid needs to use the corporate proxy for Internet stuff
2) squid should cache
3) squid should reverse proxy several servers (but for now only one
actually exists) both http and https
4) anything destined for 10.1.102.0/24 needs to not be sent to the
corporate proxy.
5) only the WSUS server is allowed to talk to *.windowsupdate.com

What I get is:
1) Reverse proxying seems to work except that any attempts to browse a
remote site (ie www.microsoft.com) on the host being proxied results
in being redirected to itself.
2) Normal proxying seems to work (note the exception above)

My config file is
---
# Should be obvious
http_port 3128
cache_dir ufs /var/spool/squid 6444 16 256
cache_access_log /var/log/squid/access.log

NP: the directive is now just called "access_log"


################################################################################
# Local traffic, is y'know, local

acl acl_whitelist dstdomain    .dev.company.com
acl acl_virthost  dst          10.1.102.8/29
acl http          proto        http
acl vdsm          port         54321
acl port_80       port         80
acl port_443      port         443
acl CONNECT       method       CONNECT

http_access allow vdsm    acl_virthost
http_access allow http    port_80      acl_whitelist
http_access allow CONNECT port_443     acl_whitelist

You are missing the default security blanket rules...
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_Ports

These prevent internal clients or external attacks from getting malicious HTTP requests past your local config settings (for example the generic "allow acl_intranet"). "malicious" requests are not always intentional, the internal client ones commonly come from things as simple as embeded URLs in web adverts.


################################################################################
# Reverse proxy settings

NP: this reverse-proxy section should be above the local traffic section. The http_access rules here must be first in the entire list of http_access.


#https_port rhevm.dev.company.com:443 accel
defaultsite=https://virtman.dev.company.com vhost
http_port  rhevm.dev.company.com:80  accel
defaultsite=http://virtman.dev.company.com vhost

defaultsite= is the FQDN, not a full URL. The http:// part is assumed from the "http_" directive name. There is an additional protocol= option if the scheme needs to be something weird (very, very rarely needed).


# RHEV Manager
cache_peer 10.1.102.34 parent 80 0 no-query originserver name=rhevman
#cache_peer 10.1.102.34 parent 443 0 no-query originserver ssl name=rhevuser

acl acl_rhevm dstdomain virtman.dev.company.com
acl acl_srcrhevm srcdomain virtman.dev.company.com
http_access allow acl_rhevm !acl_srcrhevm

The server itself asking the proxy for its own domain things?

This should not matter. You want to avoid DNS lag anyway:
  acl acl_srcrhevm src 10.1.102.34

With a cache_peer IP like that, Squid does not use DNS to connect to the internal peer so the internal DNS view can be set to the internal server IP if you want to avoid the internal traffic going via Squid IP.


cache_peer_access rhevman  allow acl_rhevm
cache_peer_access rhevman  deny  all
always_direct allow acl_rhevm

Remove the always_direct. It prevents the cache_peer being used and is likely the cause of your problem.


NOTE: I see you have commented out some HTTPS reverse-proxy bits.
You will be interested in squid-3.1.12 with fixes for HTTPS to internal reverse-proxy peers.


################################################################################
# Only the WSUS box can go to the windows update site
acl acl_windowsupdate dstdomain .windowsupdate.com
acl acl_wsus srcdomain wsus.dev.company.com
http_access deny !acl_wsus acl_windowsupdate

Your use of srcdomain requires rDNS systems to be working. Is the WSUS on a dynamic IP? Either use the WSUS IP in a "src" ACL or switch the order of those two ACL names on that line for faster overall processing.

If you retain the srcdomain, ensure that the rDNS results have long TTL. It is delaying one client request every rDNS TTL cycle.

Also, there are a number of other WU domains you may want to add to that list:
  http://wiki.squid-cache.org/SquidFaq/WindowsUpdate


################################################################################
# Normal proxy settings
acl acl_intranet src 10.1.102.0/24
http_access allow acl_intranet

################################################################################
# Catch all
http_access deny all

cache_peer proxy.company.com parent 8200 7 no-query
# Never go direct to the internet (use the BlueCoat)
never_direct allow all

These two sections look fine.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux