On 24/10/2013 3:17 p.m., juan_fla wrote:
I'm trying to set up squid as reverse proxy/cache for a mediawiki website. At
this time, http requests to the website give me an Access denied message.
Looks like I need to map requests to port 80 somehow to the port 3129 (where
Squid is listening right now) but I don't understand how.
Bad idea. Squid as reverse-proxy should be listening directly on port 80
and handlnig the traffic as it arrives there.
The wiki service should ideally be listening on port 80 on a
different/private/localhost IP somewhere else. Squid gets configured
with a cache_peer directive pointing at the wiki web server listening
port. Public DNS gets configured pointing all visitor at Squid.
Details can be found in this example config along with instructions on
proper testing of reverse-proxies:
http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting
Squid 3.3.8, FreeBSD 6.2.
Web server is listening to port 3130. Squid is listening on 3129.
Ideally both should be listening on port 80, just different IPs.
However, IF you really need the web server to be listening on a
different port you can set the cache_peer in the above mentioned config
rules to point at any port you like. Just be extra careful that the web
server is configured to ensure the scripts it runs only generate URLs with:
1) relative URLs whenever possible ... so the client softwareuses its
original URL domain:port details for followup requests
2) omitted port number when domain is unavoidable ... implying default
port 80 so it goes back to Squid.
3) omitted "scheme:" ... so http://and https:// can be determined by the
frontend Squid without causing trouble.
As a backup you can have Squid listening on port 3130 *as well*. But
if that is possible there is usually not much reason for the web server
to avoid port 80 is there?
Trying to browse the homepage ( http://mydomain.org - not the real domain)
results in:
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL:
http://localhost:3129/index.html
Access Denied.
Access control configuration prevents your request from being allowed at
this time. Please contact your service provider if you feel this is
incorrect.
Your cache administrator is webmaster.
However, adding the Squid port number does work - the response is the
homepage ( http://mydomain.org:3129/ )
BUT Squid is not being asked to fetch website " mydomain.org " ... it
is being asked to fetch website " localhost:3129 "
Squid.conf:
http_port 3129 accel defaultsite=mydomain.org
http_port 80 accel defaultsite=mydomain.org
cache_peer 127.0.0.1 parent 3130 0 no-query originserver name=myAccel
login=PASS
acl our_sites dstdomain mydomain.org
http_access allow our_sites
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all
cache_dir ufs /home/mydomain/website/webroot/cache/squid 100 16 256
coredump_dir /home/mydomain/opt/squid/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname mydomain.org
I've tried adding references to port 80 but so far nothing has worked.
I will sincerely appreciate any suggestions. We have had the website down
for two months now trying to get Squid working :(
Three things:
* make Squid listen on port 80
* run your tests with *exactly* the same URLs the visitors will be
requesting ... http://mydomain.org/
- find out where that "localhost:3129" is coming from and fix it. It
is something between you test browser and Squid.
* configure DNS to point mydomain.org at the Squid proxy IP address
Amos
