Re: [squid-users] squid config help required

From: Colin Coe <colin.coe_at_gmail.com>
Date: Fri, 29 Apr 2011 15:25:51 +0800

Hi Amos, many thanks for the prompt and detailed reply.

I have made the suggested changes with some improvements.

I should have advised of the version I'm using. This is a RHEL 6 box
with v3.1.4 and I'd prefer to stick with RH if at all possible,

All nodes use static IP addresses and I control the DNS (and rDNS) for
this domain. Every node with an A record has a corresponding PTR
record.

When I browse to rhevm.test.company.com (the reverse proxy URL), I end
up being redirected to the HTTPS site, not the HTTP site. I note that
the URL has changed from rhevm.test.company.com to
virtman.test.company.com (the real FQDN). Any ideas on how I'd stop
this changing?

The node virtman.test.company.com runs two sites, one HTTP and one
HTTPS. The HTTPS site is where you are taken if you don't specify a
http:// at the beginning.

The squid.conf now looks like:

---
http_port 3128
cache_dir ufs /var/spool/squid 6444 16 256
access_log /var/log/squid/access.log
################################################################################
# Reverse proxy settings
#https_port rhevm.dev.company.com:443 accel
defaultsite=virtman.dev.company.com vhost
http_port  rhevm.dev.company.com:80  accel
defaultsite=virtman.dev.company.com vhost
# RHEV Manager
cache_peer 10.1.102.34 parent 80 0 no-query originserver name=rhevman
#cache_peer 10.1.102.34 parent 443 0 no-query originserver ssl name=rhevuser
acl acl_rhevm dstdomain virtman.dev.company.com
acl acl_srcrhevm src    10.1.102.34
http_access allow acl_rhevm !acl_srcrhevm
cache_peer_access rhevman  allow acl_rhevm
cache_peer_access rhevman  deny  all
################################################################################
# Local traffic, is y'know, local
acl acl_whitelist dstdomain    .dev.company.com
acl acl_virthost  dst          10.1.102.8/29
acl http          proto        http
acl vdsm          port         54321
acl port_80       port         80
acl port_443      port         443
acl CONNECT       method       CONNECT
acl SSL_ports     port 443
acl Safe_ports    port 80          # http
acl Safe_ports    port 21          # ftp
acl Safe_ports    port 443         # https
acl Safe_ports    port 70          # gopher
acl Safe_ports    port 210         # wais
acl Safe_ports    port 1025-65535  # unregistered ports
acl Safe_ports    port 280         # http-mgmt
acl Safe_ports    port 488         # gss-http
acl Safe_ports    port 591         # filemaker
acl Safe_ports    port 777         # multiling http
http_access deny  !Safe_ports
http_access deny  CONNECT !SSL_Ports
http_access allow vdsm    acl_virthost
http_access allow http    port_80      acl_whitelist
http_access allow CONNECT port_443     acl_whitelist
################################################################################
# Only the WSUS box can go to the windows update site
acl acl_wsus srcdomain wsus.dev.company.com
acl acl_windowsupdate dstdomain .windowsupdate.com
http_access deny !acl_wsus acl_windowsupdate
################################################################################
# Normal proxy settings
acl acl_intranet src 10.1.102.0/24
http_access allow acl_intranet
################################################################################
# Catch all
http_access deny all
cache_peer proxy.company.com parent 8200 7 no-query
# Never go direct to the internet (use the BlueCoat)
never_direct allow all
---
Thanks again
CC
On Fri, Apr 29, 2011 at 2:33 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 29/04/11 17:22, Colin Coe wrote:
>>
>> Hi all
>>
>> I'm having trouble getting squid to do what I need.
>>
>> I'm in a test network within a corporate environment.
>>
>> What I want is this:
>> 1) squid needs to use the corporate proxy for Internet stuff
>> 2) squid should cache
>> 3) squid should reverse proxy several servers (but for now only one
>> actually exists) both http and https
>> 4) anything destined for 10.1.102.0/24 needs to not be sent to the
>> corporate proxy.
>> 5) only the WSUS server is allowed to talk to *.windowsupdate.com
>>
>> What I get is:
>> 1) Reverse proxying seems to work except that any attempts to browse a
>> remote site (ie www.microsoft.com) on the host being proxied results
>> in being redirected to itself.
>> 2) Normal proxying seems to work (note the exception above)
>>
>> My config file is
>> ---
>> # Should be obvious
>> http_port 3128
>> cache_dir ufs /var/spool/squid 6444 16 256
>> cache_access_log /var/log/squid/access.log
>
> NP: the directive is now just called "access_log"
>
>>
>>
>> ################################################################################
>> # Local traffic, is y'know, local
>>
>> acl acl_whitelist dstdomain � �.dev.company.com
>> acl acl_virthost �dst � � � � �10.1.102.8/29
>> acl http � � � � �proto � � � �http
>> acl vdsm � � � � �port � � � � 54321
>> acl port_80 � � � port � � � � 80
>> acl port_443 � � �port � � � � 443
>> acl CONNECT � � � method � � � CONNECT
>>
>> http_access allow vdsm � �acl_virthost
>> http_access allow http � �port_80 � � �acl_whitelist
>> http_access allow CONNECT port_443 � � acl_whitelist
>
> You are missing the default security blanket rules...
> �http_access deny !Safe_ports
> �http_access deny CONNECT !SSL_Ports
>
> These prevent internal clients or external attacks from getting malicious
> HTTP requests past your local config settings (for example the generic
> "allow acl_intranet").
> �"malicious" requests are not always intentional, the internal client ones
> commonly come from things as simple as embeded URLs in web adverts.
>
>>
>>
>> ################################################################################
>> # Reverse proxy settings
>
> NP: this reverse-proxy section should be above the local traffic section.
> The http_access rules here must be first in the entire list of http_access.
>
>>
>> #https_port rhevm.dev.company.com:443 accel
>> defaultsite=https://virtman.dev.company.com vhost
>> http_port �rhevm.dev.company.com:80 �accel
>> defaultsite=http://virtman.dev.company.com vhost
>
> defaultsite= is the FQDN, not a full URL. The http:// part is assumed from
> the "http_" directive name.
> �There is an additional protocol= option if the scheme needs to be something
> weird (very, very rarely needed).
>
>>
>> # RHEV Manager
>> cache_peer 10.1.102.34 parent 80 0 no-query originserver name=rhevman
>> #cache_peer 10.1.102.34 parent 443 0 no-query originserver ssl
>> name=rhevuser
>>
>> acl acl_rhevm dstdomain virtman.dev.company.com
>> acl acl_srcrhevm srcdomain virtman.dev.company.com
>> http_access allow acl_rhevm !acl_srcrhevm
>
> The server itself asking the proxy for its own domain things?
>
> This should not matter. You want to avoid DNS lag anyway:
> �acl acl_srcrhevm src 10.1.102.34
>
> With a cache_peer IP like that, Squid does not use DNS to connect to the
> internal peer so the internal DNS view can be set to the internal server IP
> if you want to avoid the internal traffic going via Squid IP.
>
>>
>> cache_peer_access rhevman �allow acl_rhevm
>> cache_peer_access rhevman �deny �all
>> always_direct allow acl_rhevm
>
> Remove the always_direct. It prevents the cache_peer being used and is
> likely the cause of your problem.
>
>
> NOTE: I see you have commented out some HTTPS reverse-proxy bits.
> �You will be interested in squid-3.1.12 with fixes for HTTPS to internal
> reverse-proxy peers.
>
>>
>>
>> ################################################################################
>> # Only the WSUS box can go to the windows update site
>> acl acl_windowsupdate dstdomain .windowsupdate.com
>> acl acl_wsus srcdomain wsus.dev.company.com
>> http_access deny !acl_wsus acl_windowsupdate
>
> Your use of srcdomain requires rDNS systems to be working. Is the WSUS on a
> dynamic IP?
> �Either use the WSUS IP in a "src" ACL or switch the order of those two ACL
> names on that line for faster overall processing.
>
> �If you retain the srcdomain, ensure that the rDNS results have long TTL. It
> is delaying one client request every rDNS TTL cycle.
>
> Also, there are a number of other WU domains you may want to add to that
> list:
> �http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
>
>>
>>
>> ################################################################################
>> # Normal proxy settings
>> acl acl_intranet src 10.1.102.0/24
>> http_access allow acl_intranet
>>
>>
>> ################################################################################
>> # Catch all
>> http_access deny all
>>
>> cache_peer proxy.company.com parent 8200 7 no-query
>> # Never go direct to the internet (use the BlueCoat)
>> never_direct allow all
>
> These two sections look fine.
>
> Amos
> --
> Please be using
> �Current Stable Squid 2.7.STABLE9 or 3.1.12
> �Beta testers wanted for 3.2.0.7 and 3.1.12.1
>
-- 
RHCE#805007969328369
Received on Fri Apr 29 2011 - 07:25:57 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 29 2011 - 12:00:05 MDT