Re: [squid-users] Internet facing proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 05 Dec 2008 13:28:29 +1300

Simon Powell wrote:
> OK - so just to clarify. I want authenticated requests from the outside world to hit my server at internal address of 172.30.0.18
> So I add the following lines in to my conf file:-
>
> http_port 8080 accel defaultsite=avupdate.domain.com (as in 'proper' DNS name for site as far as outside world is concerned)
>
> Then:-
>
> cache_peer 172.30.0.18 parent 8080 0 no-query originserver name=myAccel (for this is the internal IP of the webserver - it should be the only site on it but I will add a vhost onto the first line if this is not the case).
>
> Does this stack up?

Almost. ...

these bits are really important as this is the actual routing logic:

        acl myDomain dstdomain avupdate.domain.com
        http_access allow myDomain
        never_direct myDomain
        cache_peer_access myAccel allow MyDomain
        cache_peer_access myAccel deny all

and DNS pointing at the Squid machine IP for public access

Amos

> Cheers
> Si
>
> ________________________________________
> From: Amos Jeffries [squid3_at_treenet.co.nz]
> Sent: 04 December 2008 13:19
> To: Simon Powell
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Internet facing proxy
>
> cabletastic wrote:
>> Greetings,
>> I have a setup I am close (but no cigar) to getting working. I would like an
>> Active Directory authenticated inbound proxy to pass authenticated requests
>> to our anti-virus subscription server internally. My setup 'works' to this
>> degree - I can connect to the proxy on the port I designated at
>> avtest.domain.com, it then prompts me for AD credentials and this works all
>> fine. However when it then goes to avupdate.domain.com it goes back out on
>> to the internet and loops back into the firewall to get to the address
>> (proxy and update server are obviously on same network....) despite the
>> proxy having an internal link and internal DNS to the update server. So -
>> what I actually want is that I connect over the net to the proxy,
>> authenticate with AD credentials and the server then acts as a true inbound
>> proxy and takes me to the internal address of the avupdate.domain.com server
>> instead of looping back out to get to it over an internet connection. I
>> could of course cheat and modify my firewall rule to only allow traffic from
>> said proxy's external address but I would really rather do this the correct
>> way.
>> Hope this makes sense as it does seem somewhat rambling!
>> Cheers
>> Si
>>
>
> Please read the documentation on correctly configuring "Reverse Proxy"
> at http://wiki.squid-cache.org/SquidFaq/ReverseProxy
> under "How do I set it up?"
>
> With correctly configured cache_peer lines, DNS never becomes involved
> and all requests go to the pre-configured internal servers just fine.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
> Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1
>
>
> FMI Limited
> www.fmi.co.uk
>
> Confidentiality: The information in this email and any attachments is confidential and may be legally privileged. It is intended solely for the addressee. Access to this by anyone else is unauthorised and if you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our Clients, any opinions, quotations, and advice are subject to our standard terms and conditions.
> Security Warning: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and observe this lack of security when in e-mail contact with us. E-mail access is provided by FMI for business purposes and FMI will monitor and, in some cases, read outgoing and incoming emails.
> Viruses: Although we have taken steps to increase the likelihood that this e-mail and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free and note that anti-virus software does not always block all viruses.
>
> FMI Limited - Registered in England and Wales with number 1738299. VAT GB 381 8999 84
> Registered office: Queens House, 1 Leicester Place, Leicester Sq, London, WC2H 7BP

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1
Received on Fri Dec 05 2008 - 00:28:37 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 05 2008 - 12:00:02 MST