On Wed, 20 Jul 2011 16:34:28 +0200, tim.schmeling@xxxxxxxxxxx wrote:
Hi Squid-Users,
i have a big problem and i hope that anyone can help me.
I like to setup a squid reverse proxy with ip based virtual hosts in
apache.
Client -> Pound (10.1.24.145:80) -> Squid (10.1.24.145:3007) ->
Apache
(127.0.0.1:3007)
Virtual hosts in apache works perfect, but the following error occurs
when
i try to connect over pound/squid:
access.log from squid:
1311171399.324 157 10.1.24.145 TCP_MISS/503 4014 GET
http://sub3007/ -
DIRECT/127.0.0.1 text/html
The cache.log says me:
...
2011/07/20 16:16:39.166| parseHttpRequest: req_hdr = {Host: sub3007
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0)
Gecko/20100101
Firefox/5.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Cache-Control: max-age=0
X-Forwarded-For: 10.1.24.81
}
2011/07/20 16:16:39.166| parseHttpRequest: end = {
...
The Squid tries to connect to 127.0.0.1:80 to apache, but this is
wrong,
it might be 127.0.0.1:3007 (the vport).
Here is my squid.conf:
http_port 10.1.24.145:3007 vhost vport
http_port 10.1.24.145:3008 vhost vport
First you want to add "accl" as the first option on those lines. This
is not strictly required by the current popular releases, but will help
with future upgrades to 3.1+ versions which do require it.
...
here are some acl´s
...
acl Safe_ports port 3000-3030
http_access deny !Safe_ports
http_access deny deniedrequest
http_access allow internurl intraweb
http_access allow adminurl intraweb
http_access allow adminurl admin
http_access allow extern
http_access deny intraweb
http_access deny admin
http_access deny deniedbrowser
http_access allow aha_my_test
http_access deny all
cache deny all
httpd_suppress_version_string on
always_direct allow all
This is part of the problem. "always_direct" forces Squid to perform
DNS resolution and make use of the IP/ports found.
Use cache_peer instead, like so:
cache_peer 127.0.0.1 parent 3007 0 originserver name=apache3007
cache_peer 127.0.0.1 parent 3008 0 originserver name=apache3008
acl port3007 myportname 10.1.24.145:3007
acl port3008 myportname 10.1.24.145:3008
cache_peer_access apache3007 allow port3007
cache_peer_access apache3008 allow port3008
Or you can avoid the whole double-port thing by using name-based
virtual hosting in Apache. Pound is clearly passing the domain name
through properly. Using cache_peer and avoiding always_direct will make
Squid pass it through properly as well.
max_open_disk_fds 8192
coredump_dir /usr/local/squid/var/cache
Can anyone help me?
Every time we 'fix' this we get complaints from people wanting the
opposite behaviour or suddenly getting breakage. We for now have this
behaviour: Squid should obey Host: port when "vport" is given, and
ignore it when vport is omitted (using http_port value if none is pulled
in indirectly by vhost anyway), and override/replace it when "vport=N"
is given.
So your config tells Squid to use what Pound supplies (default 80). You
can avoid that by either getting Pound to stop adding the unusual port
to the header, or using vport=80 in squid.
Amos