[squid-users] RE: Reverse Proxy that listens and forwards to multiple ports to the same backend server

From: Andy Litzinger <Andy.Litzinger_at_theplatform.com>
Date: Wed, 12 Aug 2009 12:04:04 -0700

I may have solved my own issue. It looks like my acl should use 'myport' instead of 'port'

e.g. acl our_http_port port 80
should be:
acl our_http_port myport 80

I'm not sure I understand the difference or why this works so I'd be happy to hear an explanation from anyone who knows.

-andy

> -----Original Message-----
> From: Andy Litzinger
> Sent: Wednesday, August 12, 2009 10:30 AM
> To: Andy Litzinger; squid-users_at_squid-cache.org
> Subject: RE: Reverse Proxy that listens and forwards to multiple ports
> to the same backend server
>
> I should have mentioned I am running Squid3.0 Stable 18
>
> > -----Original Message-----
> > From: Andy Litzinger
> > Sent: Wednesday, August 12, 2009 10:03 AM
> > To: 'squid-users_at_squid-cache.org'
> > Subject: Reverse Proxy that listens and forwards to multiple ports to
> > the same backend server
> >
> > Hi all,
> > I'm banging my head on what I think should be a simple config. I
> > want squid to receive requests on port 80 and forward them on to the
> > origin server on port 80. I also want squid to receive requests on
> > port 8081 and forward requests to the same origin server on port
> 8081.
> >
> > I have a Load Balancer (BigIP) sitting in front of my Squid server
> and
> > the origin server Squid points to is also actually a VIP on the LB
> that
> > sits in front of a pool of real origin servers.
> >
> > The goal is simple proxy- I'm not caching anything (that is working
> > fine).
> >
> > Clients connect to http/https://my.test.com
> > This resolves in my DNS to 192.168.94.225, a VIP hosted on the LB
> that
> > forwards traffic on to Squid.
> > The origin server VIP for the content is 192.168.94.226
> >
> >
> > This is what the flows should look like focusing only on the
> > destination TCP port as it goes through each device:
> > Desired HTTP request flow:
> > Request port 80 ---> LB ---> request port 80 ---> Squid ---> request
> > port 80 ---> origin VIP on LB ----> request port 8080 ---> server
> > listening on port 8080
> >
> > Desired HTTPS request flow:
> > Request port 443 ---> LB (SSL offload) ---> request port 8081 --->
> > Squid ---> request port 8081 ---> Origin VIP on LB ----> request port
> > 8081 ---> server listening on port 8081
> >
> >
> > What I see happening for the HTTPS requests is that the request
> arrives
> > properly at the squid server on port 8081, but squid forwards the
> > request to the Origin VIP on port 80 instead of 8081.
> >
> > Here is the config I'm trying:
> >
> > http_port 80 accel defaultsite=my.test.com
> > http_port 8081 accel defaultsite=my.test.com
> > icp_port 0
> > htcp_port 0
> > snmp_port 3401
> >
> > debug_options ALL,1 33,2
> >
> > cache_peer 192.168.94.226 parent 80 0 no-query no-digest originserver
> > name=my_test
> > cache_peer 192.168.94.226 parent 8081 0 no-query no-digest
> originserver
> > name=my_test_ssl
> >
> > acl our_http_port port 80
> > acl our_ssl_port port 8081
> > acl my_test_dom dstdomain my.test.com
> >
> > cache_peer_access my_test_ssl allow our_ssl_port my_test_dom
> > cache_peer_access my_test_ssl deny all
> >
> > cache_peer_access my_test allow our_http_port my_test_dom
> > cache_peer_access my_test deny all
> >
> > # acl to block caching
> > acl our_sites dstdomain .test.com
> > # acl listing the IP of each vip
> > acl vips dst 192.168.94.225
> > acl acceleratedPort port 80 8081
> >
> > # we do NOT want the responses to
> > # any requests to be cached.
> > cache deny our_sites
> > # Allow requests to make it through to the VIPs
> > # but only on the expected ports
> > http_access allow vips acceleratedPort
> > http_access deny all
> > http_reply_access allow all
> >
> > cache_effective_user squid
> > cache_effective_group squid
> > visible_hostname testproxy.test.com
> > unique_hostname testsquid01
> >
> > client_db off
> > uri_whitespace allow
> > strip_query_terms off
> > relaxed_header_parser on
> > minimum_expiry_time 30 seconds
> >
> > request_header_access Accept-Encoding deny all
> >
> > any suggestions?
> >
> > Thanks!
> > Andy
Received on Wed Aug 12 2009 - 19:04:16 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 13 2009 - 12:00:03 MDT