[SOLVED] Reverse Proxy on Squid to port 8080

ALInux · 04-25-2011, 07:51 AM

Hi

I have got a reverse proxy that is working just fine, it accepts requests on port 443 and port 80 and ONLY sends traffic upstream to port 80 to the apache server listening on localhost.

I use the following config:

https_port 10.14.1.72:443 cert=/etc/squid/self_certs/site.crt key=/etc/squid/self_certs/site.key defaultsite=site vhost

cache_peer 127.0.0.1 parent 443 80 no-query originserver login=PASS

http_port 10.14.1.72:80 vhost

My problem is the following :

The site should act differently in some occasions based on whether http or https was requested. So my idea is to setup second http vhost on apache listening to port 8080 and on that vhost I would server the https code. So is it possible to use SQUID to :

Send traffic destined for port 443 to localhost:8080
and
Send traffic destined for port 80 to localhost:80 ?

Any hints/ comments are highly appreciated.

EricTRA · 04-25-2011, 08:42 AM

Hi,

I think the best way is to just indicate it in the cache_peer directive. I've set up a reverse proxy with HTTPS only (redirecting all HTTP to HTTPS) and the backend server had different ports listening. This is how I used it and it worked:

Code:

https_port XXX.XXX.XXX.XXX:443 accel cert=/etc/ssl/domain.crt key=/etc/ssl/domain.key defaultsite=www.domain.com vhost protocol=https
forwarded_for on

cache_peer XXX.XXX.XXX.XXX parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=autlog
acl site_autlog dstdomain autlog.domaion.com
cache_peer_access autlog allow site_autlog
acl https proto https

cache_peer XXX.XXX.XXX.XXX parent 7002 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=auti2
acl site_auti2 dstdomain auti2.domain.com
cache_peer_access auti2 allow site_auti2
acl https proto https

So I don't see why you couldn't use port 8080 (as I used 7002) in the cache_peer directive. Hope it helps.

Kind regards,

Eric

ALInux · 04-25-2011, 11:35 AM

Hi I am not sure I can setup two cache as the apache host is on the same server listening on localhost..but I will try it and post feedback..thanks a lot

EricTRA · 04-25-2011, 11:39 AM

Hi,

Since Apache gives you the possibility to have VirtualHost based on IP, Port, Name or combinations of those I'm pretty sure you'll be able to configure it. If you encounter problems in trying/doing, don't hesitate to post them here.

Kind regards,

Eric

ALInux · 04-25-2011, 11:59 AM

Hi
I did use your configuration as a starting point, and commented out my config for now. The issue so far is that SQUID is not listening on port 80, to sum ip what I want to achieve

a.com HTTP Request -> SQUID -> HTTP Apache
a.com HTTPS Request -> SSL Handled by SQUID -> HTTP Apache on another Vhost, or simply on another port.

Regards and thanks

EricTRA · 04-25-2011, 12:07 PM

Hello,

Squid as a reverse proxy listens on the port you indicate it to listen with http_port. What have you set for that variable? Basically what you want is to redirect the http_port Squid is listening on to your localhost on port 80, right? And besides that you want https 443 redirected to the same localhost but on port 8080, which would be a different VirtualHost, right?

The configuration I posted wasn't complete at all, just the necessary stuff I thought will matter. Don't substitute all your config for what I posted since it's not complete. You should compare what I posted with what you've got.

Kind regards,

Eric

ALInux · 04-25-2011, 12:25 PM

Notice taken, thanks.

I have dropped the ACL and used

acl all src all
http_access allow all

What is confusing me is that I am using the config below for now. And the requests still end up going to :

[SERVER_ADDR] => 127.0.0.1
[SERVER_PORT] => 80

From what I see there is nothing in the squid config that would suggest to SQUID to send any requests to port 80, the cache are setup to send to 443 or 7002

http_port 10.14.1.72:80 vhost protocol=http

https_port 10.14.1.72:443 accel cert=/etc/squid/self_certs/employment-stg.site key=/etc/squid/self_certs/domain defaultsite=siteg.domain vhost protocol=https
forwarded_for on

cache_peer 127.0.0.1 parent 443 0 no-query originserver name=autlog
cache_peer 127.0.0.1 parent 7002 0 no-query originserver name=auti2

Any comments please ?

EricTRA · 04-25-2011, 12:40 PM

Hi,

First thing that comes to mind is you're not specifying protocol for your cache peers. Here's roughly how I'd start out.

Code:

http_port 10.14.1.72:80 protocol=http defaultsite=www.yourdomain.com vhost

https_port  10.14.1.72:443 accel cert=/etc/squid/self_certs/www.domain.com.crt key=/etc/squid/self_certs/www.domain.com.key defaultsite=www.domain.com vhost protocol=https forwarded_for on

cache_peer 127.0.0.1 parent 8080 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on
acl https proto https

cache_peer 127.0.0.1 parent 80 no-query originserver 
acl http proto http

This is just the basics for the peers, I imagine you know about the different acl rules and how to include them. Also don't forget about the log facility, host file and so. If you want a more complete configuration, let me know and I'll post what I used at a previous job so you can copy (and change) from that.

Kind regards,

Eric

ALInux · 04-25-2011, 01:11 PM

Hi
I removed the SSL stuff because SQUID was posting a Protocol mismatch error, I am sorry about my following request it is m fault, can you please remove the domain names from your last post where you quoted me ?
Thanks

EricTRA · 04-25-2011, 01:14 PM

Quote:

Originally Posted by ALInux

Hi
I removed the SSL stuff because SQUID was posting a Protocol mismatch error, I am sorry about my following request it is m fault, can you please remove the domain names from your last post where you quoted me ?
Thanks

Hi,

Done, sorry I didn't even notice it when copy/pasting

Kind regards,

Eric

ALInux · 04-25-2011, 01:59 PM

OK, I am getting closer to what I want to achieve and I can say I have got it halfway working, one question if you do not mind.

Based on you example, there are two caches, based on what exactly does SQUID determine where to which cache to send the incoming request ? I do not see any connection between the vhost definition and the cache.

THanks

EricTRA · 04-25-2011, 02:08 PM

Hi,

I just corrected a small mistake I didn't notice before:

Code:

cache_peer 127.0.0.1 parent 80 no-query originserver 
acl https proto http

needs to be:

Code:

acl http proto http

I'm not the Squid expert, not at all, but I'm quite positive that the acl just after the cache_peer defines which traffic to send where. After the correction I made you'll notice that for the first cache_peer the protocol is https (proto) and for the second one http which makes up the difference.

Kind regards,

Eric

ALInux · 04-25-2011, 03:18 PM

OK Thanks a million, you paved the way for me, it worked ..the solution is below for anyone who might need this in future

https_port 10.14.1.72:443 accel cert=/etc/squid/self_certs/site.crt key=/etc/squid/self_certs/site.key defaultsite=somesite vhost protocol=https
cache_peer 127.0.0.1 parent 7002 0 no-query originserver name=secure
acl secure_acl port 443
cache_peer_access secure allow secure_acl
acl https proto https

http_port 10.14.1.72:80 protocol=http defaultsite=someSite vhost
cache_peer localhost parent 80 0 no-query originserver name=regular
acl regular_acl port 80
cache_peer_acess regular allow regular_acl
acl http proto http

EricTRA · 04-26-2011, 12:32 AM

Hello,

Glad it worked out! If you consider your problem solved, then please mark it as such.

Kind regards,

Eric