On 29/04/11 17:22, Colin Coe wrote:
Hi all
I'm having trouble getting squid to do what I need.
I'm in a test network within a corporate environment.
What I want is this:
1) squid needs to use the corporate proxy for Internet stuff
2) squid should cache
3) squid should reverse proxy several servers (but for now only one
actually exists) both http and https
4) anything destined for 10.1.102.0/24 needs to not be sent to the
corporate proxy.
5) only the WSUS server is allowed to talk to *.windowsupdate.com
What I get is:
1) Reverse proxying seems to work except that any attempts to browse a
remote site (ie www.microsoft.com) on the host being proxied results
in being redirected to itself.
2) Normal proxying seems to work (note the exception above)
My config file is
---
# Should be obvious
http_port 3128
cache_dir ufs /var/spool/squid 6444 16 256
cache_access_log /var/log/squid/access.log
NP: the directive is now just called "access_log"
################################################################################
# Local traffic, is y'know, local
acl acl_whitelist dstdomain .dev.company.com
acl acl_virthost dst 10.1.102.8/29
acl http proto http
acl vdsm port 54321
acl port_80 port 80
acl port_443 port 443
acl CONNECT method CONNECT
http_access allow vdsm acl_virthost
http_access allow http port_80 acl_whitelist
http_access allow CONNECT port_443 acl_whitelist
You are missing the default security blanket rules...
http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
These prevent internal clients or external attacks from getting
malicious HTTP requests past your local config settings (for example the
generic "allow acl_intranet").
"malicious" requests are not always intentional, the internal client
ones commonly come from things as simple as embeded URLs in web adverts.
################################################################################
# Reverse proxy settings
NP: this reverse-proxy section should be above the local traffic
section. The http_access rules here must be first in the entire list of
http_access.
#https_port rhevm.dev.company.com:443 accel
defaultsite=https://virtman.dev.company.com vhost
http_port rhevm.dev.company.com:80 accel
defaultsite=http://virtman.dev.company.com vhost
defaultsite= is the FQDN, not a full URL. The http:// part is assumed
from the "http_" directive name.
There is an additional protocol= option if the scheme needs to be
something weird (very, very rarely needed).
# RHEV Manager
cache_peer 10.1.102.34 parent 80 0 no-query originserver name=rhevman
#cache_peer 10.1.102.34 parent 443 0 no-query originserver ssl name=rhevuser
acl acl_rhevm dstdomain virtman.dev.company.com
acl acl_srcrhevm srcdomain virtman.dev.company.com
http_access allow acl_rhevm !acl_srcrhevm
The server itself asking the proxy for its own domain things?
This should not matter. You want to avoid DNS lag anyway:
acl acl_srcrhevm src 10.1.102.34
With a cache_peer IP like that, Squid does not use DNS to connect to the
internal peer so the internal DNS view can be set to the internal server
IP if you want to avoid the internal traffic going via Squid IP.
cache_peer_access rhevman allow acl_rhevm
cache_peer_access rhevman deny all
always_direct allow acl_rhevm
Remove the always_direct. It prevents the cache_peer being used and is
likely the cause of your problem.
NOTE: I see you have commented out some HTTPS reverse-proxy bits.
You will be interested in squid-3.1.12 with fixes for HTTPS to
internal reverse-proxy peers.
################################################################################
# Only the WSUS box can go to the windows update site
acl acl_windowsupdate dstdomain .windowsupdate.com
acl acl_wsus srcdomain wsus.dev.company.com
http_access deny !acl_wsus acl_windowsupdate
Your use of srcdomain requires rDNS systems to be working. Is the WSUS
on a dynamic IP?
Either use the WSUS IP in a "src" ACL or switch the order of those two
ACL names on that line for faster overall processing.
If you retain the srcdomain, ensure that the rDNS results have long
TTL. It is delaying one client request every rDNS TTL cycle.
Also, there are a number of other WU domains you may want to add to that
list:
http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
################################################################################
# Normal proxy settings
acl acl_intranet src 10.1.102.0/24
http_access allow acl_intranet
################################################################################
# Catch all
http_access deny all
cache_peer proxy.company.com parent 8200 7 no-query
# Never go direct to the internet (use the BlueCoat)
never_direct allow all
These two sections look fine.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
