Squid question about port redirect

ge2000 · 11-18-2009, 12:11 PM

Hi all,

Not sure if this is possible with squid but here's the question.

My squid is listening to port 80. Due to certain network restrictions only traffic to destinations on port 80 is allowed. Now we have behind squid a webserver running on port 88.

Is it possible, and how to 'translate' request for webserver:80 to webserver:88 with squid?

thanks,
Ge

EricTRA · 11-18-2009, 12:25 PM

I may be mistaking but I don't think Squid is your problem since you can perfectly tell Squid to send to the 'cache_peer' on port 88. If your webserver is listening on port 88 and your network policy prohibits that, then how can you get traffic through? By making an exclusion in your policy? By adapting your firewall configuration? If its prohibited on network traffic level, then how does anyone connect to that webserver?

Kind regards,

Eric

ge2000 · 11-18-2009, 12:32 PM

ok, maybe I was not clear. Traffic between squid and the webserver is possible. The only problem is that clients will always connect to webserver:80

So cache_peer should do the trick. I thought this option was to chain to another proxy. I will give it a try then.

Ge

EricTRA · 11-18-2009, 12:36 PM

Structure like this should work:

Code:

cache_peer 000.000.000.000 parent 80 0 no-query originserver name=a_name_you_give
acl site_a_name_you_give dstdomain a_name_you_give.domain.com
cache_peer_access a_name_you_give allow site_a_name_you_give

Kind regards,

Eric

ge2000 · 11-18-2009, 01:07 PM

Thanks for taking the time to help me!

In your example config I still don't see how squid is connecting to the destination webserver port 88.

The required path should be:

client request=http://webserver:80 forwarded to proxy=squid:80
squid should connect to destination=webserver:88

thanks,
Ge

EricTRA · 11-18-2009, 01:23 PM

Sorry, I didn't change the parent port in the example I posted since I figured you know Squid. Ok, let's break it apart a little bit for clarification.

Before the cache_peer you define Squid listening port like:

Code:

http_port xxx.xxx.xxx.xxx:80 defaultsite=www.tradisa.com vhost

where xxx is the IP you want Squid to listen on. Furthermore you're telling it with vhost that it's a virtual host for other servers.

Then the cache_peer:

Code:

cache_peer 000.000.000.000 parent 88 0 no-query originserver name=a_name_you_give
acl site_a_name_you_give dstdomain a_name_you_give.domain.com
cache_peer_access a_name_you_give allow site_a_name_you_give

here you state that one of the servers to which the vhost can connect is 000.000.000.000 (IP address of the real webserver). The 'parent 80' tells Squid to connect on port 80 and originserver tells it that it's a destination server not something like a proxy.

With the name= statement you give it a name so you can refer to it in the acl and cache_peer_access statement.

Like I put it here, in the acl you give the site a name to (to refer in the access statement) like site_nameyougive.

dstdomain means that only those who request that particular domain name get connected to that particular webserver. If for example you type in a browser http://mything.domain.com then Squid will not connect you. On the other hand if you type in http://a_name_you_give.domain.com then you will get connected to the correct webserver on port 88.

Then the last line determines the access you give to the site and server. If you want everyone to be able to access it, then you just delete or comment it out and down the line where you configure your http_access rules you just put:

Code:

http_access allow all

That's the way I configured it to have 8 different webservers available and three of them do not connect on a standard port.

Kind regards,

Eric

ge2000 · 11-18-2009, 01:59 PM

Thanks Eric.

This was very helpfull information. A quick test seems to work fine.

Kind regards,
Ge

EricTRA · 11-18-2009, 02:01 PM

You're welcome Ge, glad it works

Kind regards,

Eric

BTW: am I correct to state that you are in the Netherlands? Judging from your Location?

ge2000 · 11-18-2009, 03:36 PM

Quote:

Originally Posted by EricTRA

BTW: am I correct to state that you are in the Netherlands? Judging from your Location?

Yes, you are correct.

EricTRA · 11-18-2009, 03:40 PM

I'm from Belgium

Aangename kennismaking.

Geboorteplaats: Turnhout, vlak tegen de nederlandse grens.

Kind regards/Met vriendelijke groet,

Eric

ge2000 · 11-19-2009, 08:35 AM

Hi Eric,

Well, your current location seems to be much warmer :-)

The squid-proxy is working fine only for sites without authentication. We have a few IIS servers (sorry, we do sometimes use ms) which require authentication. In the past we never had problems with this but now with the accel option things are working different. Well, I'm even more a newbie on squid than I thought :-)

Nogmaals bedankt voor je antwoorden.

groeten,
Ge

EricTRA · 11-19-2009, 08:44 AM

Oh, believe me it is a lot warmer here then Belgium, and more important a lot dryer

All our servers require authentication, but none are IIS, I got spared of that disaster

The sites we run that are still on Windows (for the time being) are all running Tomcat.

Graag gedaan.

Kind regards,

Eric

ge2000 · 11-19-2009, 09:12 AM

Quote:

Oh, believe me it is a lot warmer here then Belgium, and more important a lot dryer

Please don't poke me in the eyes!

Found it! I appended login=PASS to the cache_peer line and now this works fine as well.

groeten,
Ge

EricTRA · 11-19-2009, 09:15 AM

Fantastic, well done.

Kind regards,

Eric