Re: [squid-users] reverse proxy config
Hi Amos Am 18.02.2012 02:29, schrieb Amos Jeffries: On 18/02/2012 3:09 a.m., Erich Titl wrote: Hi Folks cache_peer_access pfaeffikon-ssl allow sites_server_104 Note: cache_peer_access and cache_peer_domain are alternative metods of deciding whether to service the request there. You can drop one of them. http_access allow sites_server_104 Here is an excerpt of the cache.log file 2012/02/17 14:47:07 kid1| Accepting HTTP Socket connections at local=[::]:8080 remote=[::] FD 15 flags=9 2012/02/17 14:47:07 kid1| Accepting reverse-proxy HTTPS Socket connections at local=[::]:443 remote=[::] FD 16 flags=9 2012/02/17 14:47:07 kid1| Configuring Parent pfaeffikon.gever.asp.ruf.ch/8083/0 2012/02/17 14:47:07 kid1| Configuring Parent To me it looks like the cache peer is not accessed correcly. Maybe. That config says the peer will only service http://m278.asp.ruf.ch:443/* URLs. And does so without encryption on the squid-peer link. The goal is to terminate https requests on the proxy and forwarding the requests for pfaeffikon.gever.asp.ruf.ch to a peer called m278.asp.ruf.ch on port 8083 I see the requests arriving at the squid host, but it appears that it does not use the host specified in the peer parameters but uses the name of the original request host. Yes. Exactly so. The client is asking for https://pfaeffikon.gever.asp.ruf.ch/. Squid will attempt to service that request. You have told Squid to only accept requests for the domain m278.asp.ruf.ch. Amos Of course you were right, I needed to understand the syntax a bit better. I had the settings the wrong way around. Thanks Erich
[squid-users] reverse proxy config
Hi Folks I am trying to det up a reverse proxy for a numbner of systems, but appear to fail to define the cache peer correctly. The reverse proxy settings # squid reverse proxy settings for ssl acceleration # content shamelessly adapted from # http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate # Copyleft 2012 erich.t...@think.ch https_port 443 cert=/etc/squid3/gever.crt key=/etc/squid3/gever.key accel protocol=http # peer pfaeffikon cache_peer pfaeffikon.gever.asp.ruf.ch parent 8083 0 no-query originserver name=pfaeffikon-ssl cache_peer_domain pfaeffikon-ssl m278.asp.ruf.ch acl sites_server_104 dstdomain m278.asp.ruf.ch cache_peer_access pfaeffikon-ssl allow sites_server_104 http_access allow sites_server_104 Here is an excerpt of the cache.log file 2012/02/17 14:47:07 kid1| Accepting HTTP Socket connections at local=[::]:8080 remote=[::] FD 15 flags=9 2012/02/17 14:47:07 kid1| Accepting reverse-proxy HTTPS Socket connections at local=[::]:443 remote=[::] FD 16 flags=9 2012/02/17 14:47:07 kid1| Configuring Parent pfaeffikon.gever.asp.ruf.ch/8083/0 2012/02/17 14:47:07 kid1| Configuring Parent To me it looks like the cache peer is not accessed correcly. The goal is to terminate https requests on the proxy and forwarding the requests for pfaeffikon.gever.asp.ruf.ch to a peer called m278.asp.ruf.ch on port 8083 I see the requests arriving at the squid host, but it appears that it does not use the host specified in the peer parameters but uses the name of the original request host. Thanks Erich smime.p7s Description: S/MIME Kryptografische Unterschrift
Re: [squid-users] reverse proxy config
On 18/02/2012 3:09 a.m., Erich Titl wrote: Hi Folks I am trying to det up a reverse proxy for a numbner of systems, but appear to fail to define the cache peer correctly. The reverse proxy settings # squid reverse proxy settings for ssl acceleration # content shamelessly adapted from # http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate # Copyleft 2012 erich.t...@think.ch https_port 443 cert=/etc/squid3/gever.crt key=/etc/squid3/gever.key accel protocol=http Why set protocol http:// ?? You are missing vhost (locate and use HTTP/1.1 Host: header. 3.1 and older Squid have it absent for HTTP/1.0 compliance) and/or defaultsite (domain to use as URL domain if none can be located). # peer pfaeffikon cache_peer pfaeffikon.gever.asp.ruf.ch parent 8083 0 no-query originserver name=pfaeffikon-ssl cache_peer_domain pfaeffikon-ssl m278.asp.ruf.ch acl sites_server_104 dstdomain m278.asp.ruf.ch cache_peer_access pfaeffikon-ssl allow sites_server_104 Note: cache_peer_access and cache_peer_domain are alternative metods of deciding whether to service the request there. You can drop one of them. http_access allow sites_server_104 Here is an excerpt of the cache.log file 2012/02/17 14:47:07 kid1| Accepting HTTP Socket connections at local=[::]:8080 remote=[::] FD 15 flags=9 2012/02/17 14:47:07 kid1| Accepting reverse-proxy HTTPS Socket connections at local=[::]:443 remote=[::] FD 16 flags=9 2012/02/17 14:47:07 kid1| Configuring Parent pfaeffikon.gever.asp.ruf.ch/8083/0 2012/02/17 14:47:07 kid1| Configuring Parent To me it looks like the cache peer is not accessed correcly. Maybe. That config says the peer will only service http://m278.asp.ruf.ch:443/* URLs. And does so without encryption on the squid-peer link. The goal is to terminate https requests on the proxy and forwarding the requests for pfaeffikon.gever.asp.ruf.ch to a peer called m278.asp.ruf.ch on port 8083 I see the requests arriving at the squid host, but it appears that it does not use the host specified in the peer parameters but uses the name of the original request host. Yes. Exactly so. The client is asking for https://pfaeffikon.gever.asp.ruf.ch/. Squid will attempt to service that request. You have told Squid to only accept requests for the domain m278.asp.ruf.ch. Amos
[squid-users] Reverse proxy config with squid3?
Hi - I'm working to establish a squid accel config with squid running on the same server as an Apache instance. With Squid 2.7, the following config worked (I have Apache listening on 127.0.0.1:80): http_port 192.168.1.7:80 accel defaultsite=192.168.1.7 cache_peer 127.0.0.1 parent 80 0 no-query originserver name=va acl all src all cache_peer_access va allow all http_access allow all But I would like to be using Squid3 (to stay consistent with the other Squid installs I have) -- and the above doesn't work, I just get Access Denied for everything. Is there something fundamentally wrong with the above? (Tangent, but even though ACL all is supposed to be built in after 2.5, the above doesn't work unless I explicitly define all. Also, on reconfigure, I get an error: 2010/08/02 13:15:35| WARNING: '0.0.0.0/0.0.0.0' is a subnetwork of '0.0.0.0/0.0.0.0' 2010/08/02 13:15:35| WARNING: because of this '0.0.0.0/0.0.0.0' is ignored to keep splay tree searching predictable 2010/08/02 13:15:35| WARNING: You should probably remove '0.0.0.0/0.0.0.0' from the ACL named 'all' Even though it works. shrug). David G. Bucci 240.668.4024 david.g.bu...@lmco.com (unclass) When Dr. Bruce Banner becomes angry, he changes into the Incredible Hulk; when the Incredible Hulk becomes angry, he changes into Chuck Norris. -- ChuckNorrisFacts.com
Re: [squid-users] Reverse proxy config with squid3?
mån 2010-08-02 klockan 13:25 -0400 skrev Bucci, David G: Hi - I'm working to establish a squid accel config with squid running on the same server as an Apache instance. With Squid 2.7, the following config worked (I have Apache listening on 127.0.0.1:80): http_port 192.168.1.7:80 accel defaultsite=192.168.1.7 cache_peer 127.0.0.1 parent 80 0 no-query originserver name=va acl all src all cache_peer_access va allow all http_access allow all This config minus the all acl works just fine for me with Squid-3. Only changed the IP to match my test server IP. Regards Henrik
[squid-users] Reverse Proxy config chain SSL Cert files
Hello Squid users. I am using on squid 3.0 Stable15. I try to make SSL reverse proxy. My config file is below. https_port 443 cert=domain.crt key=domain.key clientca=UTNAddTrustServerCA.crt defaultsite=www.test.com vhost cache_peer 1.1.1.1 parent 443 0 no-query originserver sslflags=DONT_VERIFY_PEER And start squid /etc/init.d/squid start * Starting Squid HTTP proxy squid * Creating squid cache structure Enter PEM pass phrase: and enter my pass. It's Ok. r...@virt:/var/log/squid# lsof -i TCP:443 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME squid 24010 proxy 15u IPv4 1311653 TCP *:https (LISTEN) and 443 port opened. But I can't connect SSL site ( https://www.test.com. ) How can I do ?. I don't know how to setup squid about chain SSL. I found below log. (cache.log) 2009/06/12 13:40:41| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx 2009/06/12 13:40:41| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx 2009/06/12 13:40:41| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx 2009/06/12 13:40:41| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
[squid-users] Reverse Proxy config chain SSL Cert files
Hello Squid users. I am using on squid 3.0 Stable15. I try to make SSL reverse proxy. My config file is below. https_port 443 cert=domain.crt key=domain.key clientca=UTNAddTrustServerCA.crt defaultsite=www.test.com vhost cache_peer 1.1.1.1 parent 443 0 no-query originserver sslflags=DONT_VERIFY_PEER And start squid /etc/init.d/squid start * Starting Squid HTTP proxy squid * Creating squid cache structure Enter PEM pass phrase: and enter my pass. It's Ok. r...@virt:/var/log/squid# lsof -i TCP:443 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME squid 24010 proxy 15u IPv4 1311653 TCP *:https (LISTEN) and 443 port opened. But I can't connect SSL site ( https://www.test.com. ) How can I do ?. I don't know how to setup squid about chain SSL. I found below log. (cache.log) 2009/06/12 13:40:41| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx 2009/06/12 13:40:41| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx 2009/06/12 13:40:41| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx 2009/06/12 13:40:41| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
Re: [squid-users] Reverse proxy config question
Thanks, but I have chosen 2.5 because the docs on 2.6 are scarce. Can you point me to good docs on how to reverse proxy using 2.6? tnx Patrick Henrik Nordstrom wrote: ons 2007-02-28 klockan 23:03 +0100 skrev Patrick Donker: Maybe somebody is willing to help me configuring my squid 2.5.14 to both reverse proxy my hosts, and the same time act as a transparant proxy for the local net clients. Upgrade. Reverse proxying is much saner in Squid-2.6. Doing what you ask in 2.5 is a bit of a mess.. - Restrict the outside world to only use my proxy for visiting the sites on my local net (192.168.1.x / 192.168.2.x / 192.168.10.x / 192.168.100.x) - Open the proxy for local net users to the internet Both done in http_access but with different ACLs. http_access allow our_networks http_access allow our_sites http_access deny all Regards Henrik
Re: [squid-users] Reverse proxy config question
lör 2007-03-03 klockan 22:17 +0100 skrev Patrick Donker: Thanks, but I have chosen 2.5 because the docs on 2.6 are scarce. Can you point me to good docs on how to reverse proxy using 2.6? At least the FAQ is up to date for 2.6 http://wiki.squid-cache.org/SquidFaq/ReverseProxy there is also numerous post on squid-users, and quite likely other documents out on the web.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Reverse proxy config question
ons 2007-02-28 klockan 23:03 +0100 skrev Patrick Donker: Maybe somebody is willing to help me configuring my squid 2.5.14 to both reverse proxy my hosts, and the same time act as a transparant proxy for the local net clients. Upgrade. Reverse proxying is much saner in Squid-2.6. Doing what you ask in 2.5 is a bit of a mess.. - Restrict the outside world to only use my proxy for visiting the sites on my local net (192.168.1.x / 192.168.2.x / 192.168.10.x / 192.168.100.x) - Open the proxy for local net users to the internet Both done in http_access but with different ACLs. http_access allow our_networks http_access allow our_sites http_access deny all Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Reverse proxy config question
Hi all, Maybe somebody is willing to help me configuring my squid 2.5.14 to both reverse proxy my hosts, and the same time act as a transparant proxy for the local net clients. Obviousely I dont want 'the net' abuse my proxy as an open relay ;) So, basically, what I want is this: - Restrict the outside world to only use my proxy for visiting the sites on my local net (192.168.1.x / 192.168.2.x / 192.168.10.x / 192.168.100.x) - Open the proxy for local net users to the internet Thanks Patrick