On Thu, Feb 15, 2018 at 3:31 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 15/02/18 17:00, Peng Yu wrote: >> Hi, >> >> Here are the conf files for two proxies. The first is a reverse proxy >> (proxied on server1 and server2) and the second is a forward proxy. Is >> there a way to combine the two into one (supporting both 3129 and >> 3128)? Thanks. > > One Squid can accept traffic in multiple modes, just by adding the > appropriate *_port lines for each type/mode of traffic. > > However, if you are talking about the same setup as your last threads > described the first proxy is *not* doing proper / normal reverse-proxy. > From what I understand in those setups you are relying on the traffic > being warped into forward-proxy syntax by the frontend and leaving the > domain routing to the backend - which lacks the appropriate security > checks to handle reverse-proxy needs. > > > In regards to your posted config files. Skipping the lines which are not > actual default configuration you are left with these: > >> >> $ grep -v '^#' squid.conf|grep -v '^$' >> http_port 3129 > > This is not a reverse-proxy. That is declared by the "accel" mode flag > being set - which is not present here. > > >> cache_peer server1 parent 3128 0 round-robin no-query >> cache_peer server2 parent 3128 0 round-robin no-query >> coredump_dir /usr/local/var/cache/squid >> > >> $ grep -v '^#' squid.conf|grep -v '^$' >> http_port 3128 > > This is also not a reverse-proxy. > >> coredump_dir /var/spool/squid3 >> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 > > To combine the above two configurations take the second one and add this > line: > http_port 3129 > > > BUT, since neither of them was actually a reverse-proxy the answer of > how to merge a reverse-proxy and a forward-proxy would be quite different. I finally figure a configure that works. localhost:3128 is forward to both server1:3128 and server2:3128. localhost:3129 directly goes to the external network. Let me know if there is anything wrong with it. Also, this only works for http. For https, localhost:3128 still directly goes to the external network. Do you know how to modify the following configuration to configure for https? acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3128 http_port 3129 acl port_3128_acl myportname 3128 cache_peer server1 parent 3128 0 round-robin no-query name=proxy3128 cache_peer_access proxy3128 allow port_3128_acl cache_peer server2 parent 3128 0 round-robin no-query name=proxy1_3128 cache_peer_access proxy1_3128 allow port_3128_acl cache_peer_access proxy3128 deny all forwarded_for delete coredump_dir /usr/local/var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 -- Regards, Peng _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
