Search squid archive

Re: Squid ReverseProxy with vhost vport - Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 20 Jul 2011 16:34:28 +0200, tim.schmeling@xxxxxxxxxxx wrote:
Hi Squid-Users,

i have a big problem and i hope that anyone can help me.
I like to setup a squid reverse proxy with ip based virtual hosts in
apache.

Client -> Pound (10.1.24.145:80) -> Squid (10.1.24.145:3007) -> Apache
(127.0.0.1:3007)

Virtual hosts in apache works perfect, but the following error occurs when
i try to connect over pound/squid:

access.log from squid:
1311171399.324 157 10.1.24.145 TCP_MISS/503 4014 GET http://sub3007/ -
DIRECT/127.0.0.1 text/html

The cache.log says me:
...
2011/07/20 16:16:39.166| parseHttpRequest: req_hdr = {Host: sub3007
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Cache-Control: max-age=0
X-Forwarded-For: 10.1.24.81
}
2011/07/20 16:16:39.166| parseHttpRequest: end = {
...


The Squid tries to connect to 127.0.0.1:80 to apache, but this is wrong,
it might be 127.0.0.1:3007 (the vport).

Here is my squid.conf:

http_port 10.1.24.145:3007 vhost vport
http_port 10.1.24.145:3008 vhost vport

First you want to add "accl" as the first option on those lines. This is not strictly required by the current popular releases, but will help with future upgrades to 3.1+ versions which do require it.

...
here are some acl´s
...
acl Safe_ports port 3000-3030
http_access deny !Safe_ports
http_access deny deniedrequest
http_access allow internurl intraweb
http_access allow adminurl intraweb
http_access allow adminurl admin
http_access allow extern
http_access deny intraweb
http_access deny admin
http_access deny deniedbrowser
http_access allow aha_my_test
http_access deny all
cache deny all
httpd_suppress_version_string on
always_direct allow all

This is part of the problem. "always_direct" forces Squid to perform DNS resolution and make use of the IP/ports found.
Use cache_peer instead, like so:


cache_peer 127.0.0.1 parent 3007 0 originserver name=apache3007
cache_peer 127.0.0.1 parent 3008 0 originserver name=apache3008

acl port3007 myportname 10.1.24.145:3007
acl port3008 myportname 10.1.24.145:3008

cache_peer_access apache3007 allow port3007
cache_peer_access apache3008 allow port3008


Or you can avoid the whole double-port thing by using name-based virtual hosting in Apache. Pound is clearly passing the domain name through properly. Using cache_peer and avoiding always_direct will make Squid pass it through properly as well.


max_open_disk_fds 8192
coredump_dir /usr/local/squid/var/cache


Can anyone help me?

Every time we 'fix' this we get complaints from people wanting the opposite behaviour or suddenly getting breakage. We for now have this behaviour: Squid should obey Host: port when "vport" is given, and ignore it when vport is omitted (using http_port value if none is pulled in indirectly by vhost anyway), and override/replace it when "vport=N" is given.

So your config tells Squid to use what Pound supplies (default 80). You can avoid that by either getting Pound to stop adding the unusual port to the header, or using vport=80 in squid.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux