> -----Original Message----- > From: Erich Titl [mailto:erich.titl@xxxxxxxx] > Sent: Friday, September 16, 2011 8:28 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: forward and reverse proxy with squid 3.2 > > Hi Dean > > at 16.09.2011 15:12, Dean Weimer wrote: > >> -----Original Message----- > >> From: Erich Titl [mailto:erich.titl@xxxxxxxx] > >> Sent: Friday, September 16, 2011 3:35 AM > >> To: squid-users@xxxxxxxxxxxxxxx > >> Subject: forward and reverse proxy with squid 3.2 > >> > >> Hi Folks > >> > >> I need to replace my squid proxy running on a Debian Lenny, because > > the > >> version provided does not handle ssl. > >> > >> I managed with some tweaks to the makefile (especially for the link > >> phase) to compile 3.2.0.11, the configuration changes though apear to > >> make it impossible to run a normal and reverse proxy in the same > > instance. > >> > >> I copied most of the configuration files from the old installation, > >> hoping they would not to be too different. > >> > >> My new installation runs fine as a normal proxy, as soon as I include > >> the reverse proxy configuration, everything is sent to the peer > >> mentioned there. > >> > >> > ########################################################## > >> ########################## > >> # squid reverse proxy settings > >> # content shamelessly adapted from > >> # > >> http://wiki.squid- > >> cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate > >> # Copyleft 2009 erich.titl@xxxxxxxx > >> > ########################################################## > >> ########################## > >> > >> http_port 80 accel > >> > >> # peer servicedesk > >> cache_peer servicedesk.ruf.ch parent 80 0 no-query originserver > >> name=servicedesk > >> > >> acl sites_server_1 dstdomain servicedesk.ruf.ch > >> cache_peer_access servicedesk allow sites_server_1 > >> http_access allow sites_server_1 > >> > ########################################################## > >> ############################### > >> > >> It appears that the cache_peer directive now takes precedence. > >> > >> cheers > >> > >> Erich > > > > Erich, > > I ran into this when switching to the 3.x branch from 2.x, you > > need to answer on a second port for the forward proxy requests, this > > setup works in 3.1.x, I haven't tried it in 3.2.x versions, but I > > believe this should work in it as well. > > > > http_port 80 accel > > http_port 3128 > > # If using https on reverse proxy as well > > https_port 443 accel cert=/usr/local/squid/etc/certs/chain.crt > > key=/usr/local/squid/etc/certs/cert.key options=NO_SSLv2 > > > cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SS > Lv2 > > I have a forward proxy defined on 8080 and it works well until I include > the reverse proxy configuration. Then everything goes to the cache peer > defined for that vhost. What does your cache peer look like? > > Thanks > > Erich Perhaps it's the cache_peer_domain lines that you need, I have sanitized these entries, I am actually using a vhost configuration with multiple peers on port 80, and a single peer on https. cache_peer 1.1.1.1 parent 80 0 proxy-only no-query originserver name=HTTPPEER cache_peer_domain HTTPPEER www.domain.com cache_peer 1.1.1.1 parent 443 0 ssl no-query originserver name=HTTPSPEER cache_peer_domain HTTPSPEER www.domain.com My forward proxy is also using a parent cache, which makes the ACLs and rules likely quite a bit different, but I don't appear to have any allow deny rules for the parent peers used in the reverse proxy settings, so it looks like the cache_peer_domain is doing all the work in deciding what goes to the parents via the reverse proxy function, and what goes to the forward parent server. The only ACLs and rules I have setup are allowing and denying access to the forward proxy port.