RE: [squid-users] forward and reverse proxy with squid 3.2

From: Dean Weimer <dweimer_at_orscheln.com>
Date: Fri, 16 Sep 2011 08:12:54 -0500

> -----Original Message-----
> From: Erich Titl [mailto:erich.titl_at_think.ch]
> Sent: Friday, September 16, 2011 3:35 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] forward and reverse proxy with squid 3.2
>
> Hi Folks
>
> I need to replace my squid proxy running on a Debian Lenny, because
the
> version provided does not handle ssl.
>
> I managed with some tweaks to the makefile (especially for the link
> phase) to compile 3.2.0.11, the configuration changes though apear to
> make it impossible to run a normal and reverse proxy in the same
instance.
>
> I copied most of the configuration files from the old installation,
> hoping they would not to be too different.
>
> My new installation runs fine as a normal proxy, as soon as I include
> the reverse proxy configuration, everything is sent to the peer
> mentioned there.
>
> ##########################################################
> ##########################
> # squid reverse proxy settings
> # content shamelessly adapted from
> #
> http://wiki.squid-
> cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
> # Copyleft 2009 erich.titl_at_think.ch
> ##########################################################
> ##########################
>
> http_port 80 accel
>
> # peer servicedesk
> cache_peer servicedesk.ruf.ch parent 80 0 no-query originserver
> name=servicedesk
>
> acl sites_server_1 dstdomain servicedesk.ruf.ch
> cache_peer_access servicedesk allow sites_server_1
> http_access allow sites_server_1
> ##########################################################
> ###############################
>
> It appears that the cache_peer directive now takes precedence.
>
> cheers
>
> Erich

Erich,
        I ran into this when switching to the 3.x branch from 2.x, you
need to answer on a second port for the forward proxy requests, this
setup works in 3.1.x, I haven't tried it in 3.2.x versions, but I
believe this should work in it as well.

http_port 80 accel
http_port 3128
# If using https on reverse proxy as well
https_port 443 accel cert=/usr/local/squid/etc/certs/chain.crt
key=/usr/local/squid/etc/certs/cert.key options=NO_SSLv2
cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

Make sure to include the proper access list entries so that you don't
open the forward proxy to the world when allowing access to the reverse
proxy port. The server will answer on http and https on ports 80 and
443 and direct those to the parent server, when connected to on port
3128 it will function as a standard forward proxy service for your
internal users.

Dean
Received on Fri Sep 16 2011 - 13:13:40 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 16 2011 - 12:00:03 MDT