hello
if i understand correctly, you have squid running on port 80? or is the port
80 traffic on the LAN mapped to 3128 on the squid cache (default, otherwise
some other port) .... ?
so, no browser on your network is configured to use a proxy, the firewall
just bounces the traffic to the cache.
that is what it sounds like you are doing, please let me know if this is not
correct.
couple of comments -
a) what are you doing with the httpd_accel options? i don't believe these
will deliver a solution.
b) squid is completely compatible with host header virtual hosting - i
haven't seen any trouble. you can verify this by looking at your web server
logs.
a quick thing to check, if you don't want to tinker with other
settings/options first - however may not be prudent - : make sure that
either a) dns (port 53 tcp/udp) is available to the clients in the case of
an external name server, or b) the clients are in fact getting the name
resolutions from an internal machine. if you have your firewall set up to
bounce traffic and no proxy options on the browser, name resolution will
occur at the client not the server.
(you really should have an internal nameserver running to improve
performance)
HOWEVER what i suggest is at minimum blocking port 80 and 443 traffic from
your clients altogether, set up squid to listen on 3128 (default) or some
other port, and have each client configured to use your squid server as a
proxy by explicitly specifying the address and port in the browser settings.
make sure the squid machine can perform name lookups, and verify internal
lookups are correct. drop the bounce and redirect scheme...
of course if you have a ton of clients to configure then manually setting up
the clients could be a real pain, however my intuition tells me that you
won't have much luck using the firewall to solve the problem quick and
dirty. (perhaps some others can comment about this a bit and give some
better analysis/solution).
the only trouble you will likely have will be with software that doesn't
care about proxy settings (i have seen a lot of "live update" kinds of
things bomb out) and the windows "active" desktop (i haven't 100% verified
this but from what i have seen the windows desktop with internet content
doesn't give a care about your proxy settings (ie, they won't work if you
have port 80, etc blocked).
-- can you succesfully use the squid cache from the squid server itself? you
can make tests using lynx, wget etc.... if you don't have an x server /
window environment running.
hopefully some of this helps!!!
take care
waitman gobble
emk design
buena park, california
+1.7145222528
http://emkdesign.com
----- Original Message -----
From: <rdiaz@nbframing.com>
To: <squid-users@squid-cache.org>
Sent: Tuesday, August 06, 2002 6:58 AM
Subject: [squid-users] Squid and virtual hosts
> am new to using squid and have been trying to implement it at my
> company for the past few days. So far, it has been working great with
> only a few small bumps. The most significant of which is the apparent
> lack of support for virtual hosts.
>
> My configuration is as follows: Squid 2.4.STABLE7 running on RedHat
> 7.3. This machine sits on our local network behind a Watchguard
> firewall, on the trusted interface. I have the firewall configured to
> forward all HTTP requests to the squid proxy on the internal network.
> There is a rule in place on the firewall that allows the proxy to
> access the Internet. This appears to be working well.
>
> We also have a web server sitting on the optional/dmz interface of the
> firewall that hosts a few sites. The server has a single public IP
> address. It does not have a private IP address on the local network.
> It uses host headers to direct users to the correct site.
>
> Users outside of the firewall have no problem accessing any of the
> sites. Users inside the firewall cannot access any site. Their
> browser will eventually timeout.
>
> I have researched this topic for a few days, and cannot find a
> solution. I played around with the httpd_accel options to no avail.
> I would appreciate any insight you might have into this configuration.
>
> Thank you.
>
> Sincerely,
> RD
>
> P.S. I originally posted this to the newsgroup via DejaNews unaware of the
> mailing list. I apologize for the duplication.
>
Received on Tue Aug 06 2002 - 08:36:34 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:31 MST