Re: [squid-users] Squid 2.6 21 as reverse-proxy and caching-proxy the same time

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 24 Dec 2010 03:05:46 +1300

On 24/12/10 01:45, Alexander Weber wrote:
> Dear Squid Gurus!
>
> I am running squid 2.6 on an IPCOP firewall as caching proxy for my internal
> network.

Well, first of all an upgrade would be worthwhile if you can. 2.6 is
very old now.

> I got 2 more servers now running an HTTPS service. Our webhoster forwards
> traffic by URL-HIDING to our dynDNS.

Please describe this "URL-HIDING" concept. Were there any technical
terms they used to describe it?

>
> a) internal clients being able to browse the web via squid
> b) HTTP website on server APP-001 available at port 80 and URL xxx.mine.nu,
> cached to the outside
> c) HTTPS website on server NAS-003 available at port 443 and URL
> xxx.mine.nu, cached to the outside
> d) HTTPS website on server APP-004 available at port 443 and URL
> xxx.mine.nu/extranet/, cached to the outside
>

NOTE: Squid will happily multiplex traffic. Requests on port 80 to
backend on port 443 and vice-versa if allowed to.

ALSO NOTE: (d) is a sub-set of (c) and handling them in those order will
prevent the (d) being done on most requests.
  I see that your config below does not match these requirements. In
that it extends (c) slightly by adding config equivalent to "except for
xxx.mine.nu/extranet/"

> In the end it should work like this:
>
> Web proxy:
> internet<---- squid transparent:800<---- internal clients browsing the web
>
> Reverse proxy:
>
> internet (xxx.mine.nu) ----> squid accel:80 ---->
> APP-001:80
> internet (xxx.mine.nu) ----> squid accel:443 ---->
> NAS-003:443
> internet (xxx.mine.nu/extranet/) ----> squid accel:443 ---->
> APP-004:443 (or :80)
>
> Based on my squid.conf I am able now to grab the standard webpage
> (APP-001:80), the /extranet/ page for APP-004 at port 80 and 443 (which
> should be only 443) but the webpage at 443 is not opening. Furthermore every

Please explain "the webpage at 443 is not opening" this does not sound
right. From where is it not opening; direct request to the peer? or only
wen relayed through squid?

> traffic from internal network is ending now on the webserver at APP-001:80.
>

Problem #0:
  That sounds a lot like you are NAT'ing the LAN traffic to port 80
instead of to port 800.

>
> Here is my squid.conf:
>
> [CODE]
> shutdown_lifetime 1 seconds
> icp_port 0
>
> # Reverse Proxy for HTTP
>
> http_port 80 accel defaultsite=www.REALDNS.net
> # Forward ORIGIN IP to server - to be checked
> #forwarded_for on
> cache_peer 192.168.103.25 parent 80 0 no-query originserver name=app-001
> acl ndjsite dstdomain www.REAL.net
> cache_peer_access app-001 allow ndjsite
>
> # Deny - check later
> #cache_peer_access app-001 deny all
>

Problem #1:
  all traffic arriving at "http_port 80" the defaultsite= option will
generate URLs as requests for:
     http://www.REALDNS.net/*

in order to match "www.REAL.net" you will need to use
"defaultsite=www.REAL.net" or more likely add the "vhost" option.

Also missing the http_access rule matching your cache_peer_access lines
to permit outside access to this site. These are mandatory for public
reverse-proxy.
    http_access allow ndjsite

NP: the cache-peer_access also breaks your (b) requirement that
"xxx.mine.nu" be the domain served by this peer. Since that domain is
not permitted to be fetched there.

> # w/ cert for HTTPS
>
> https_port 443 accel cert=/var/ipcop/proxy/server.crt
> key=/var/ipcop/proxy/server.key defaultsite=xxx.mine.nu vhost protocol=https
>
> # Forward ORIGIN IP to server - to be checked
> #forwarded_for on
>
> # and multi host
>
> acl ndjext urlpath_regex ^/extranet
>
> cache_peer 192.168.103.20 parent 443 0 no-query originserver ssl
> name=nas-003 login=PASS
> cache_peer_access nas-003 deny ndjext

Possible problem #2:
  implicit "nas-003 allow all" end this sequence of tests.

Its good that you had this "deny ndjext" which will allow the (d)
requirement to happen later. However you still need to follow it here
with an "allow ..." line permitting the (c) requirement domain to be
sent here

I think you want:
   acl xmu dstdomain xxx.mine.nu
   cache_peer_access nas-003 allow xmu !ndjext
   cache_peer_access nas-003 deny all
   http_access allow xmu

>
> cache_peer 192.168.103.26 parent 443 0 no-query originserver ssl
> name=app-004 login=PASS
> cache_peer_access app-004 allow ndjext
> cache_peer_access app-004 deny ndjsite

Problem #3,4,5:
  - "allow ndjext" permits *any* website using the text "/extranet" at
start the path to be sent to this peer.
  - again the list ends with an implicit "allow all" permitting
everything to be sent here. (except the ndjsite which is denied)

I think you want:
   cache_peer_access app-004 allow xmu ndjext
   cache_peer_access app-004 deny all

>
>
> http_port 192.168.103.1:800 transparent
> http_port 192.168.105.1:800 transparent
>
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> cache_effective_user squid
> cache_effective_group squid
>
> pid_filename /var/run/squid.pid
>
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log none
>
> log_mime_hdrs off
> forwarded_for off
>
> # Do not modify '/var/ipcop/proxy/squid.conf' directly since any changes
> # you make will be overwritten whenever you resave proxy settings using the
> # web interface! Instead, modify the file '/var/ipcop/proxy/acl' and then
> # restart squid using the web interface. Changes made to the 'acl' file
> # will propagate to the 'squid.conf' file at that time.
> # [Scott Tregear, 22 Feb 2005]
>
> # Uncomment the following line to enable logging of User-Agent header:
> #useragent_log /var/log/squid/user_agent.log
>
> # Uncomment the following line to enable logging of Referer header:
> #referer_log /var/log/squid/referer.log
>
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 800 # Squid port (for icons)
>
> acl IPCop_http port 81
> acl IPCop_https port 445
> acl IPCop_ips dst 192.168.103.1 192.168.105.1
> acl IPCop_networks src 192.168.103.0/255.255.255.0
> 192.168.105.0/255.255.255.0
> acl no_proxy_dst dst 0/32

Bit weird that ACL. We write it in the current default config as:
   acl to_localhost dst 127.0.0.1 0.0.0.0/32

> acl CONNECT method CONNECT
>
> ##Access to squid:
> #local machine, no restriction
> http_access allow localhost
>
> #GUI admin if local machine connects
> http_access allow IPCop_ips IPCop_networks IPCop_http
> http_access allow CONNECT IPCop_ips IPCop_networks IPCop_https
>
> #Deny not web services
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> #Finally allow IPCop_networks clients
> http_access allow IPCop_networks !no_proxy_dst
> http_access deny all
>
> maximum_object_size 64768 KB
> minimum_object_size 4 KB
>
> cache_mem 10240 KB
> cache_dir aufs /var/log/cache 256 16 256
>
> request_body_max_size 0 KB
> reply_body_max_size 0 allow all
>
> visible_hostname loki.xxxxxxx.local
>
> [/CODE]
>
> My config base was the squid manpages, squidcache.org's config examples and
> these page:
> http://www.sweetnam.eu/index.php/Reverse_Proxy_with_Squid and
> http://www.techienuggets.com/Comments?tx=94569
>
> Perhaps you can point me to some examples were a setup like mine is running
> or where I can look for a solution. Google, wiki.squid-cache.org and these
> pages are my friends already:
>
> http://blog.spench.net/2010/02/24/tips-for-setting-up-squid-in-reverse-proxy
> -web-accelerator-accel-mode/

Hmm, couple of quite nasty assumptions there. Firstly about how to run
Apache and Squid on the same machine. Then a lot of FUD about "tighten
things up".

> http://www.linux-club.de/viewtopic.php?t=24381

This one appears to be relevant for 2.5. Reverse proxy and multiple
modes were VERY different in that version and not easy.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.9
   Beta testers wanted for 3.2.0.3
Received on Thu Dec 23 2010 - 14:05:55 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 23 2010 - 12:00:04 MST