Hello all,
Many thanks for the responses so far, I gave it a go without much
success unfortunatelly.
The errors:
2009/12/17 15:20:00| icmpSend: send: (111) Connection refused
2009/12/17 15:20:00| Closing Pinger socket on FD 18
2009/12/17 15:20:02| WARNING: Forwarding loop detected for:
Client: <cache1_IP> http_port: <cache2_IP>:80
On Thu, 2009-12-17 at 10:00 +1300, Amos Jeffries wrote:
> On Wed, 16 Dec 2009 11:50:26 +0000, "Nikolaos Pavlidis"
> <Nikolaos.Pavlidis_at_beds.ac.uk> wrote:
> > Hello all,
> >
> > I figured the easiest way to describe what I am trying to do is to...
> > draw it. First of all pardon my ignorance since I am relatively new to
> > squid. Any help will be much appreciated.
> >
> >
> > The Problem:
> >
> > Dec 9 17:42:35 cache2 squid[27234]: WARNING: Forwarding loop detected
> > for: Client: <cache1_IP> http_port: <cache2_IP>:3128 GET
> > internal://site1.domain.com/squid-internal-dynamic/netdb HTTP/1.0 Via:
> > 1.0 site1.domain.com:80 (squid) X-Forwarded-For: unknown Host:
> > <cache2_IP>:3128 Cache-Control: max-age=259200 Connection:
> > keep-alive
> >
> >
> >
> >
> > Reverse proxy Setup:
> >
> > O F5 load balanced vhost
> > | (DNS A name resolving site1.domain.com
> > | site2.domain.com
> > | site3.domain.com etc.)
> > |
> > |---------------|
> > | |
> > | |
> > cache1 O---------------O cache2
> > |
> > |
> > |
> > |
> > O---------------O--------------O
> > web1 web2 web3
> > site1 site3 site4
> > site2 site5
> >
> > Desired path:
> > 1. Request for site1
> > 2. F5 load balances request to cache1
> > 3. cache1 checks own cache
> > 4. if NO-HIT check cache2
> > 5. else go directly to web1
> >
>
> Excellent. This is a basic reverse-proxy with virtual hosting.
>
> The error you mentioned earlier indicates:
>
> 1. Request for site1
> 2. F5 load balances request to cache1
> 3. cache1: checks own cache
> 4. cache1: if NO-HIT check cache2
> 5. cache2: if NO-HIT check cache1
> 6. cache1: if NO-HIT check cache2 ... FAIL!!
> ...
>
>
> > Server:
> > 64bit SLES 11
> >
> > Configuration file (what I have done so far):
> >
> > # NETWORK OPTIONS
> > #
> >
> -----------------------------------------------------------------------------
> > http_port 80 accel defaultsite=site1.domain.com vhost
> > http_port 3128 accel defaultsite=site1.domain.com vhost
>
> There should be no need for port 3128 to be reverse-proxy as well.
> Dedicate that or another port to proxy-proxy communications.
>
Totally right, removed the whole line
"http_port 3128 accel defaultsite=site1.domain.com vhost"
> > visible_hostname site1.domain.com
> > offline_mode off
> >
> > # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> > #
> >
> -----------------------------------------------------------------------------
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
> > no_cache deny QUERY
> >
> > # OPTIONS WHICH AFFECT THE CACHE SIZE
> > #
> >
> -----------------------------------------------------------------------------
> > cache_mem 512 MB
> > maximum_object_size 32 KB
> > maximum_object_size_in_memory 64 Kb
> >
> > # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> > #
> >
> -----------------------------------------------------------------------------
> > cache_dir aufs /var/cache/squid 61440 16 256
> > emulate_httpd_log on
> > logfile_rotate 100
> > logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
> > "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> > access_log /var/log/squid/access.log combined
> > cache_log /var/log/squid/cache.log
> > cache_store_log /var/log/squid/store.log
> > debug_options ALL,1,33,3,20,3
> >
> > # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> > #
> >
> -----------------------------------------------------------------------------
> > auth_param basic children 10
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> >
> > # OPTIONS FOR TUNING THE CACHE
> > #
> >
> -----------------------------------------------------------------------------
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i \.css 1440 50% 2880 override-expire
> > refresh_pattern -i \.swf 1440 50% 2880 ignore-reload
> > override-expire
> > refresh_pattern . 1440 50% 4320 override-expire
> >
> > # ACCESS CONTROLS
> > #
> >
> -----------------------------------------------------------------------------
> >
> > acl all src all
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 563 # https, snews
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl purge method PURGE
> > acl CONNECT method CONNECT
> > acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
> > upgrade_http0.9 deny shoutcast
> > acl apache rep_header Server ^Apache
> > broken_vary_encoding allow apache
> >
>
> Part 1 of the problem:
>
> You are running a reverse-proxy. All of these initial http_access rules
> are forward-proxy security restrictions. In the case of the "allow all" its
> attempting to bypass the regular forward-proxy config by turning it into an
> open proxy instead.
>
> The reverse proxy config (your "UNIVERSITY SERVICES ENTRIES" settings)
> need to be set right here above the forward-proxy config.
>
>
> > http_access allow manager localhost
> > http_access deny manager
> > http_access allow purge localhost
> > http_access deny purge
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > http_access allow all
>
> With the reverse-proxy config in the right place you can turn the basic
> security back on by changing that above line to "deny all"
>
> > http_reply_access allow all
> >
> > icp_access allow all
> >
> > ##########################################
> > ###### UNIVERSITY SERVICES ENTRIES ######
> > ##########################################
> >
> > cache_peer <web1_IP> parent 80 0 no-query originserver name=web1
> > cache_peer <cache2_IP> parent 3128 3130 proxy-only default
>
> Part 2 of the problem:
> The above config indicates that cache2 is the primary web server (on port
> 3128) with web1 as a backup source.
>
> I believe your setup needs cache1 and cache2 in a sibling relationship as
> 'alternative' backup sources of data to each other. Siblings are checked
> before parents but a failure at sibling is not fatal to locating the file.
>
> Also requests received in port 3128 (ie from a sibling) should be denied
> forwarding to the sibling.
>
> > acl sites_web1 dstdomain site1.domain.com site2.domain.com
> > http_access allow sites_web1
> > cache_peer_access web1 allow sites_web1
> > cache_peer_access web1 deny all
> >
Ok I gave it a go, looks like that:
# reverce-proxy configuration
#
-----------------------------------------------------------------------------
cache_peer <web1_IP> parent 80 0 no-query originserver name=web1
cache_peer <cache2_IP> sibling 80 3130 proxy-only
acl sites_www dstdomain site1.domain.com site2.domain.com
acl from_cache2 src <cache2_IP>
cache_peer_access cache2 deny from_cache2
http_access allow sites_web1
cache_peer_access web1 allow sites_web1
cache_peer_access web1 deny all
# forward-proxy security restrictions
#
-----------------------------------------------------------------------------
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
acl cache2 src <cache2_IP>
icp_access allow cache2
icp_access deny all
> > # ADMINISTRATIVE PARAMETERS
> > #
> >
> -----------------------------------------------------------------------------
> >
> > shutdown_lifetime 3 second
> > httpd_suppress_version_string on
> > cache_mgr cachemgr_at_domain.com
> >
> > # ICP OPTIONS
> > #
> >
> -----------------------------------------------------------------------------
> >
> > log_icp_queries on
> >
> > # MISCELLANEOUS
> > #
> >
> -----------------------------------------------------------------------------
> >
> > memory_pools_limit 1024 MB
> >
> > # DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
> > #
> >
> -----------------------------------------------------------------------------
> >
> > coredump_dir /var/spool/squid
> >
> > -------------------------EO Configuration file -------------------------
> >
> > Any comments on the configuration would be much appreciated. Thank you
> > in advance.
> >
> > Kind regards,
> >
> > Nik
Many thanks in advance for all your help.
Kind regards,
Nik
-- Nikolaos Pavlidis BSc (Hons) MBCS NCLP CEH CHFI Systems Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 (Ext 2277)Received on Thu Dec 17 2009 - 15:49:39 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 18 2009 - 12:00:02 MST