SQUID port to port

Hi,

Here comes another squid question:

It is possible to have a squid proxy working like this:

listening on port 80 and forward connection to ip1 on port 8080
listening on port 81 and forward connection to ip2 on port 8181

Both options at the same time.

I have seen that you can set several listening ports.

http_port 80 81

but I don't know if squid can listen at the same time.

Thanks a lot!

Sergio

On mån, 2008-07-21 at 15:19 -0700, elsergio wrote:
> Hi,
>
> Here comes another squid question:
>
> It is possible to have a squid proxy working like this:
>
> listening on port 80 and forward connection to ip1 on port 8080
> listening on port 81 and forward connection to ip2 on port 8181

Yes. That's a reverse proxy with multiple ports and multiple backend
servers, using cache_peer_access to select what to sent to each.

Regards
Henrik

Henrik Nordstrom-5 wrote:

On mån, 2008-07-21 at 15:19 -0700, elsergio wrote:
> Hi,
>
> Here comes another squid question:
>
> It is possible to have a squid proxy working like this:
>
> listening on port 80 and forward connection to ip1 on port 8080
> listening on port 81 and forward connection to ip2 on port 8181

Yes. That's a reverse proxy with multiple ports and multiple backend
servers, using cache_peer_access to select what to sent to each.

Regards
Henrik

 

Hi Henrik,

Let's see if I can figure out the configuration:

http_port 80 81   #to make squid listen to the desired ports

cache_peer ip1 parent 8080 0 no-query origin_server name DS1
cache_peer ip2 parent 8181 0 no-query origin_server name DS2

I cannot find out how to connect origin port with destination port. How is the good use of the cache_peer for this purpose?

Thanks again. Best regards,

Sergio

elsergio wrote:
One per line.

>
> cache_peer ip1 parent 8080 0 no-query origin_server name DS1
> cache_peer ip2 parent 8181 0 no-query origin_server name DS2

name=DS1 ,etc. but otherwise yes.

>
> I cannot find out how to connect origin port with destination port. How is
> the good use of the cache_peer for this purpose?

cache_peer_access and some ACL's. Probably the myport or portname ACL.

http://www.squid-cache.org/Versions/v2/2.7/cfgman/cache_peer_access.html
http://www.squid-cache.org/Versions/v2/2.7/cfgman/acl.html

Amos
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE8

Hi all,

I have been suggested this

> http_port 80 81   #to make squid listen to the desired ports

One per line.


Do I have to do something like this?

http_port 80
acl all src 0.0.0.0/0.0.0.0
always_direct allow all
cache_peer ip1 parent 8080 0 no-query origin_server name=DS1
cache_peer_access allow DS1

http_port 81
acl all src 0.0.0.0/0.0.0.0
always_direct allow all
cache_peer ip2 parent 8181 0 no-query origin_server name=DS2
cache_peer_access allow DS2



I dont know if this is the way to determine that all the incoming
requests to port 80 will go to 1p1:8080 and the requests to port 81
will go to ip2:8181. Is this the way to do it?


Thanks a lot,

Sergio

On Tue, Jul 22, 2008 at 07:01:42AM -0700, elsergio wrote:
No, the "one per line" remark was purely aimed at the http_port
thing; as in:

http_port 80
http_port 81

...other directives follow...

squid doesn't particularly care about the order of directives in the
configuration file, except you cannot refer to something you have
not yet defined. If it aids your understanding you can split the
http_port directives up and have settings which apply to each
directly following them, but that's not a requirement (and nor is it
usually particularly helpful in aiding understanding).

> I dont know if this is the way to determine that all the incoming
> requests to port 80 will go to 1p1:8080 and the requests to port
> 81 will go to ip2:8181. Is this the way to do it?

Nope. As Amos said, you need to define ACLs which define which URLs
will be passed to each of your parents, and then assign these using
cache_peer_access. Have you read the documentation Amos directed you
to?

You need to define an ACL for your "DS1" server, e.g.

acl myport80 myport 80
cache_peer_access allow DS1 myport80
cache_peer_access deny DS1 all

(Note that you need to define the "all" ACL first, as you have done
in your example. Only define it once, though.)

Then repeat the process for "DS2":

acl myport8 myport 81
cache_peer_access allow DS2 myport81
cache_peer_access deny DS2 all

Note also that you don't want to use always_direct, as that tells
squid to bypass its cache_peers and connect directly to the origin
server which it finds by doing a DNS lookup.

Assuming you want to give your ACLs a more meaningful name, your
configuration will look something like this:



http_port 80
http_port 81
cache_peer ip1 parent 8080 no-query originserver name=DS1
cache_peer ip2 parent 8181 no-query originserver name=DS2

acl forDS1 myport 80
acl forDS2 myport 81
acl all src 0.0.0.0/0.0.0.0

cache_peer_access allow DS1 forDS1
cache_peer_access deny DS1 all
cache_peer_access allow DS2 forDS2
cache_peer_access deny DS2 all



Plus you'll have other elements from the default / recommended
configuration.

There are multiple ways of applying the access lists; the way I've
described above is what I usually prefer, but:

cache_peer_access deny DS1 !forDS1
cache_peer_access deny DS2 !forDS2

will do the same thing in less lines. Depends what you find easier
to understand yourself.

* always_direct will prevent the peers ever being used. Drop that from
your config.

* all ACL only needs defining once, and only if using Squid-2.
   probably easier to understand: acl all src all

* still missing the ACL to do routing:

 acl DS1_okay myport 80
 acl DS2_okay myport 81

* cache_peer_access (did you read the link I gave. or did I omit it?)

 cache_peer _access <peer-name> [allow|deny] [acl [acl ...]

I'd suggest:
  cache_peer_access DS1 allow DS1_okay
  cache_peer_access DS1 deny !DS1_okay

  cache_peer_access DS2 allow DS2_okay
  cache_peer_access DS2 deny !DS2_okay

Amos

Hi,

Mmmm.. I see what you were talking about and seems to be logic. Thanks for the help!

I have been thinking about one thing: I want to have some access statistics for each server. For example, I want to have a list of all the http request origin IP addresses that have reached each server.

Can I, somehow, make squid to add an http header with the origin IP of the request? Is this possible?

Thanks!!

elsergio wrote:
Unless configured otherwise squid always adds the client IP to
X-Forwarded-For: header. Also the X-Client-IP: header sometimes.

Amos
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE8

Hi Amos,

It is possible to change the name of the header? Maybe it would be easier to create a new one if possible. How can I configure it?

Thanks!

>
> Hi Amos,
>
> It is possible to change the name of the header? Maybe it would be easier
> to
> create a new one if possible. How can I configure it?

What are you trying to do exactly?

You asked for the server to identify client requesting squid. Thats what
forwarded-for does. As common behavior in all web proxies.
Why do you expect adding code to squid + server app, duplicating the
forwarded-for behavior with a different header name to be simpler than
writing just the the server app to understand "X-Forwarded-For: 127.2.3.4,
10.0.0.1"?

Amos

Hi Amos,

It is because I would like this name to be configurable on Squids side, to be independent from the server app. I don't want to depend on the server app so modifying the header could be nice. Any idea?

Best regards,

Sergio

elsergio wrote:
> Hi Amos,
>
> It is because I would like this name to be configurable on Squids side, to
> be independent from the server app. I don't want to depend on the server app
> so modifying the header could be nice. Any idea?

XFF has nothing to do with the Server app. It's all about the client. Is
added by Squid. Exactly what you asked for.
Its present to be _used_ or ignored by the server app.

I asked for more info on the overall design you are wanting to achieve.
If we knew we could give more useful help. Without the knowledge of your
end-goal all I and anyone here can do is guess and answer to the exact
words you state.

Feel free to send it privately if that is sensitive info.

Amos
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE8

Hi Amos,

The problem is that in the web servers, will use that header for
statistics and for some sites, it will also use that field for
authentication purposes. In that cases the capability of modifying that
app is out of our scope, so we will have to think about other
solutions.

Thanks!

Hi,

I have looking for a solution for the http headers and have found the Privoxy tool that can be integrated with Squid (http://www.christianschenk.org/blog/enhancing-your-privacy-using-squid-and-privoxy/). I have seen that it can deal with the http headers. Have you ever heard about this program or any other program that can be useful to achieve the target?

Best regards,

Sergio