Re: [squid-users] Problem with Reverse Proxy and multiple domains from Chris Robertson on 2009-03-03 (squid-users)

From: Chris Robertson <crobertson_at_gci.net>
Date: Tue, 03 Mar 2009 11:17:41 -0900

Drew Wrobel wrote:
> I made the changes you suggested, but I started getting the following error messages in the log:
>
> 123456.com w.x.y.z - - [03/Mar/2009:12:09:45 -0500] "GET http://123456.com/ HTTP/1.1" 403 1379 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" TCP_DENIED:NONE
>
> When I went to the web site and I get the squid ERR_ACCESS_DENIED page instead.
>
> Here are the new lines that I had put in as you suggested. Not sure if I over did it with the http_access lines.
>
> Had one question thought. Since the web-server is handling both www.123456.com and 123456.com, is the first acl valid
> for both?
>
> I also took out the entries for abcdev and 987zyx and still doesn't work. What am I missing/doing wrong.
>
>
> http_port 80 accel vhost
>
> acl 123456 dstdomain 123456.com
> acl abcdef dstdomain abcdef.com
> acl 987zyx dstdomain 987zyx.com
>

All three of the domains should be preceded by a period. Replace these
with...

acl 123456 dstdomain .123456.com
acl abccdef dstdomain .abcdef.com
acl 987zyx dstdomain .987zyx.com

>
> cache_peer_access 192.168.2.10 allow 123456
> cache_peer_access 192.168.2.10 allow abcdef
> cache_peer_access 192.168.2.10 allow 987zyx
> cache_peer_access 192.168.2.10 deny all
>

So does the host 192.168.2.10 contain the data for all three domains?
You might want to read
http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers if
not. If it does, read and follow
http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting first,
then add the redundant peers.

> http_access allow 123456
> http_access allow abcdef
> http_access allow 987zyx
>
>
> cache_peer_access 192.168.2.11 allow 123456
> cache_peer_access 192.168.2.11 allow abcdef
> cache_peer_access 192.168.2.11 allow 987zyx
> cache_peer_access 192.168.2.11 deny all
>

Same question here.

> http_access allow 123456
> http_access allow abcdef
> http_access allow 987zyx
>

These three lines are redundant, as http_access for these domains has
already been allowed.

>
> cache_peer_access 192.168.2.12 allow 123456
> cache_peer_access 192.168.2.12 allow abcdef
> cache_peer_access 192.168.2.12 allow 987zyx
> cache_peer_access 192.168.2.12 deny all
> http_access allow 123456
> http_access allow abcdef
> http_access allow 987zyx
>
> http_access deny all
> never_direct allow all

Um. I don't think you want never_direct in a acceleration setup, unless
you are setting it up in a weird way.

Chris
Received on Tue Mar 03 2009 - 20:17:50 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 04 2009 - 12:00:02 MST