On 01.03.2012 03:35, kadvar wrote:
Hi,
I have set up squid in reverse proxy (http-accelerator mode) on a
machine
along with the web server. the web server listens on 127.0.0.1 while
squid
listens on 192.168.124.41. There is another web server
192.168.124.40. Squid
has been configured with urlpath_regex to redirect any incoming
requests
with "images" in the url to 192.168.124.40.
|---> webserver1 (127.0.0.1)
squid (192.168.124.41) --- | |
|---> webserver2
(192.168.124.40)
Now according to my config, pointing my browser to
192.168.124.41/images.html should lead to 192.168.124.40/images.html.
The
page loads up but the embedded images do not show up. A tail -f on
access.log shows
1330494519.583 5 192.168.124.41 TCP_REFRESH_UNMODIFIED/304 357
GET
http://192.168.124.41/images.html - FIRST_UP_PARENT/server2 -
1330494519.814 3 192.168.124.41 TCP_MISS/404 582 GET
http://192.168.124.41/myimage.jpg - FIRST_UP_PARENT/server1 text/html
NOTE for all the log_fqdn addicts: This is one of the major reasons we
moved to IP-address display in these logs recently. It is far easier to
identify these problem server, especially when it each one has multiple
IPs squid could be accessing.
images.html has an image embedded in it called myimage.jpg. Squid
does well
to redirect incoming requests for images.html to server2 but it is
still
looking for myimage.jpg on server1. Why is this happening?
Thanks,
Adi
I have reproduced squid.conf below
########################squid.conf####################
############### http accel configuration ###########
#let squid listen on the public ip addr port 80 and apache on
localhost 80
http_port 192.168.124.41:80 accel defaultsite=192.168.124.41
You set the default Host: header value to be an raw-IP address. Squid
will attempt to fetch from itself, looping back, and try to fetch from
itself...
This is default *site*. As in your companies public FQDN, or the
default website name you want broken clients to visit if the omit a
domain name from their URL.
On top of this Squid is not told to pay attention to the Host header
(vhost option), so the reverse-proxy mode traffic URL has no domain name
in it Squid uses that IP address.
#192.168.124.41/images has to be redirected to another web server
acl images urlpath_regex images
Problem #1: everything with the letters "images" in the URL path gets
matched by this.
For examples:
http://example.com/images/haha.html
http://example.com/boo/?images
http://example.com/scripts/images.js
http://example.com/videos/images.avi
http://google.com/images?q=boo
http://192.168.124.41/images.html
Careful with regex.
#now that images has been found deny the request being sent to server
1
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=server1
cache_peer_access server1 deny images
PROBLEM #2: "myimage.jpg" does not contain an "s". The 'images' ACL
definition does not prevent it going to this peer.
#now send the image requests to server 2, first create peer
cache_peer 192.168.124.40 parent 80 0 no-query originserver
name=server2
#now send image requests to peer
cache_peer_access server2 allow images
cache_peer_access server2 deny all
Problem #3: in all of this I see no ACL or http_access permitting
access to the domain for reverse-proxy requests.
There is only forward-proxy http_access security configurations
limiting access to LAN spaces. If you want this reverse-proxied website
to be visible outside the LAN you will need to add permission for
anybody to access its domain name (dstdomain) before your
forward-proxyconfig (ie at the top with the cache_peer_access lines).
Amos
