> -----Original Message-----
> From: Erich Titl [mailto:erich.titl_at_think.ch]
> Sent: Friday, September 16, 2011 8:28 AM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] forward and reverse proxy with squid 3.2
>
> Hi Dean
>
> at 16.09.2011 15:12, Dean Weimer wrote:
> >> -----Original Message-----
> >> From: Erich Titl [mailto:erich.titl_at_think.ch]
> >> Sent: Friday, September 16, 2011 3:35 AM
> >> To: squid-users_at_squid-cache.org
> >> Subject: [squid-users] forward and reverse proxy with squid 3.2
> >>
> >> Hi Folks
> >>
> >> I need to replace my squid proxy running on a Debian Lenny, because
> > the
> >> version provided does not handle ssl.
> >>
> >> I managed with some tweaks to the makefile (especially for the link
> >> phase) to compile 3.2.0.11, the configuration changes though apear
to
> >> make it impossible to run a normal and reverse proxy in the same
> > instance.
> >>
> >> I copied most of the configuration files from the old installation,
> >> hoping they would not to be too different.
> >>
> >> My new installation runs fine as a normal proxy, as soon as I
include
> >> the reverse proxy configuration, everything is sent to the peer
> >> mentioned there.
> >>
> >>
> ##########################################################
> >> ##########################
> >> # squid reverse proxy settings
> >> # content shamelessly adapted from
> >> #
> >> http://wiki.squid-
> >> cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
> >> # Copyleft 2009 erich.titl_at_think.ch
> >>
> ##########################################################
> >> ##########################
> >>
> >> http_port 80 accel
> >>
> >> # peer servicedesk
> >> cache_peer servicedesk.ruf.ch parent 80 0 no-query originserver
> >> name=servicedesk
> >>
> >> acl sites_server_1 dstdomain servicedesk.ruf.ch
> >> cache_peer_access servicedesk allow sites_server_1
> >> http_access allow sites_server_1
> >>
> ##########################################################
> >> ###############################
> >>
> >> It appears that the cache_peer directive now takes precedence.
> >>
> >> cheers
> >>
> >> Erich
> >
> > Erich,
> > I ran into this when switching to the 3.x branch from 2.x, you
> > need to answer on a second port for the forward proxy requests, this
> > setup works in 3.1.x, I haven't tried it in 3.2.x versions, but I
> > believe this should work in it as well.
> >
> > http_port 80 accel
> > http_port 3128
> > # If using https on reverse proxy as well
> > https_port 443 accel cert=/usr/local/squid/etc/certs/chain.crt
> > key=/usr/local/squid/etc/certs/cert.key options=NO_SSLv2
> >
> cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SS
> Lv2
>
> I have a forward proxy defined on 8080 and it works well until I
include
> the reverse proxy configuration. Then everything goes to the cache
peer
> defined for that vhost. What does your cache peer look like?
>
> Thanks
>
> Erich
Perhaps it's the cache_peer_domain lines that you need, I have sanitized
these entries, I am actually using a vhost configuration with multiple
peers on port 80, and a single peer on https.
cache_peer 1.1.1.1 parent 80 0 proxy-only no-query originserver
name=HTTPPEER
cache_peer_domain HTTPPEER www.domain.com
cache_peer 1.1.1.1 parent 443 0 ssl no-query originserver
name=HTTPSPEER
cache_peer_domain HTTPSPEER www.domain.com
My forward proxy is also using a parent cache, which makes the ACLs and
rules likely quite a bit different, but I don't appear to have any allow
deny rules for the parent peers used in the reverse proxy settings, so
it looks like the cache_peer_domain is doing all the work in deciding
what goes to the parents via the reverse proxy function, and what goes
to the forward parent server. The only ACLs and rules I have setup are
allowing and denying access to the forward proxy port.
Received on Fri Sep 16 2011 - 13:49:11 MDT
This archive was generated by hypermail 2.2.0 : Sat Sep 17 2011 - 12:00:02 MDT