I have :
1) Webserver listening on port 80 on localhost. The webserver hosts virtual domains
2) Squid listening on port80 on eth0 ( say 10.0.21.7 ) -- This private IP is NAT'ed to a public IP,
and the switch in the colocation / data centre forwards all port80 for that public IP to this private IP.
3) Squid and webserver on the same machine
4) I have the following in squid.conf ( full squid.conf is shown below ):
-----------------------------------------
http_port 10.0.21.7:80
httpd_accel_host localhost
httpd_accel_port 80
httpd_accel_uses_host_header on
-----------------------------------------
5) I have added in /etc/hosts lines such that the virtualhosts points to 127.0.0.1:
e.g.:
127.0.0.1 apps.company.com
Now when I access from my browser the virtual hostname, everything works great!
Squid recevies the HTTP requets, which it in turn makes an HTTP request to localhost.
In fact, all virtual hostnames are working.
Now the problem that I have is that, if I type in my browser just the public IP address or
the private IP address, then squid returns an HTTP 403. The reason is that,
the browser is sending the HTTP Host header like this if I type in the private IP:
Host: 10.0.21.7
.. or if I type in the public IP:
Host: x.x.x.x
..where x.x.x.x is the public IP. Because of the Host header being an IP address,
squid then tries to make a connection to the said IP ( which is itself !!! ) ...
instead of making a connection to localhost. In short, it is making a connection to itself.
I confirmed this by capturing all packets on port80 on said webserver.
Here's a sample log of that squid/access.log ( 10.5.3.133 is my workstation IP,
10.0.21.7 is where squid is running )
1127465153.646 18 10.5.3.133 TCP_NEGATIVE_HIT/403 1354 GET http://10.0.21.7/ - NONE/- text/html
1127465154.237 0 10.0.21.7 TCP_DENIED/403 1339 GET http://10.0.21.7/favicon.ico - NONE/- text/html
1127465154.238 19 10.5.3.133 TCP_MISS/403 1368 GET http://10.0.21.7/favicon.ico - DIRECT/10.0.21.7 text/html
Is there anyway to make squid "ignore" the Host header if the host header
is an IP address and simply ... and simply make a connection to localhost ???
Here's the full squid.conf:
-----------------------------------------
http_port 10.0.21.7:80
httpd_accel_host localhost
httpd_accel_port 80
httpd_accel_uses_host_header on
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow all
http_reply_access allow all
icp_access allow all
visible_hostname sydwb621
coredump_dir /var/spool/squid
-----------------------------------------
Received on Fri Sep 23 2005 - 02:51:47 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:04 MDT