Re: [squid-users] Pass through some requests in a reversed-proxy setup

From: Amos Jeffries <[email protected]>
Date: Sat, 27 Oct 2007 15:12:54 +1300

Rune Langseid wrote:
> Hi there,
>
> I'm trying to set up a reverse-proxy in front of an CMS.

Ok.

> Since there are both anonymous users, and logged in users accessing this
> system I only want to serve squid-cache to the anonymous users.

WHY? Surey yoru authenticated users are allowed to do the same things as
anonymous (plus some extras only for them)

> I was thinking of setting a cookie called "Authenticated" when the user
> logs in as this is easy to check with "acl"
>
> Like this:
> acl cookie_is_set req_header Cookie ^.*Authenticated.*
>
> However, I am facing a few problems then trying to let these user
> through Squid.
>
> I have tried this:
> acl cookie_is_set req_header Cookie ^.*Authenticated.*
> cache deny cookie_is_set
>
> This setup works in a way, but Squid also deletes the cache-object used
> by the anonymous users which is something I don't want. Could this be a
> bug?

Sort-of. Squid does not fully support HTTP/1.1 - this type of URL
differences are part of the HTTP/1.1 support.
If its still occuring when squid is apparently HTTP/1.1 compliant then
it will be a bug.

> I have also been experimenting with "always_direct" with no luck.
> Like this:
> always_direct allow cookie_is_set
>
> I guess I am missing something important here...

always_direct bypasses the peer config you have for matching requests.

> Is there another way to solve this?
> Eg by using cache_peer and cache_peer_access?
>

Possibly. If you wanted one or other type of user not to be able to
request new content from the peer.

What I suspect is that you actually want to use:
  miss_access deny !cookie_is_set

That way authenticated users are allowed to pull new objects int the
cache. and non-authenticated are only allowed to use those already
pulled in by somebody else.

Your CMS should be setting Expires: and Cache-Control: headers properly
to control which items are storable in the cache and which need to be
refreshed.

>
> I'm using Squid 2.6.5, and my squid.conf looks like this:
> --
> cache_peer localhost parent 80 0 originserver
> http_port 8080 vhost
>
> acl cookie_is_set req_header Cookie ^.*Authenticated.*
> cache deny cookie_is_set
>
> #always_direct allow cookie_is_set
>
> acl all src 0.0.0.0/0.0.0.0
> http_access allow all

So by that config I read that you want ANYBODY to be able to access any
website through your proxy at port 8080?

I'd use:
- cache_peer_domain or cache_peer_access to limit the possible
destinations to those your peer provides.
- never_direct to prevent requests the CMS is not meant to provide

Also cookie's can be forged or spoofed easily. If you can try to setup
some proper authentication. The auth_param programs can be an easily
hand-coded script to test USER/PASS against anything you want.
That also allows the users use their familiar browser login controls for
your site.

Amos
Received on Fri Oct 26 2007 - 20:12:58 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT