How to combine two proxies into one?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to combine two proxies into one?

Peng Yu
Hi,

Here are the conf files for two proxies. The first is a reverse proxy
(proxied on server1 and server2) and the second is a forward proxy. Is
there a way to combine the two into one (supporting both 3129 and
3128)? Thanks.

$ grep -v '^#' squid.conf|grep -v '^$'
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3129
cache_peer server1 parent 3128 0 round-robin no-query
cache_peer server2 parent 3128 0 round-robin no-query
forwarded_for    delete
coredump_dir /usr/local/var/cache/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

$ grep -v '^#' squid.conf|grep -v '^$'
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .        0    20%    4320
forwarded_for delete

--
Regards,
Peng
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to combine two proxies into one?

Amos Jeffries
Administrator
On 15/02/18 17:00, Peng Yu wrote:
> Hi,
>
> Here are the conf files for two proxies. The first is a reverse proxy
> (proxied on server1 and server2) and the second is a forward proxy. Is
> there a way to combine the two into one (supporting both 3129 and
> 3128)? Thanks.

One Squid can accept traffic in multiple modes, just by adding the
appropriate *_port lines for each type/mode of traffic.

However, if you are talking about the same setup as your last threads
described the first proxy is *not* doing proper / normal reverse-proxy.
From what I understand in those setups you are relying on the traffic
being warped into forward-proxy syntax by the frontend and leaving the
domain routing to the backend - which lacks the appropriate security
checks to handle reverse-proxy needs.


In regards to your posted config files. Skipping the lines which are not
actual default configuration you are left with these:

>
> $ grep -v '^#' squid.conf|grep -v '^$'
> http_port 3129

This is not a reverse-proxy. That is declared by the "accel" mode flag
being set - which is not present here.


> cache_peer server1 parent 3128 0 round-robin no-query
> cache_peer server2 parent 3128 0 round-robin no-query
> coredump_dir /usr/local/var/cache/squid
>

> $ grep -v '^#' squid.conf|grep -v '^$'
> http_port 3128

This is also not a reverse-proxy.

> coredump_dir /var/spool/squid3
> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880

To combine the above two configurations take the second one and add this
line:
  http_port 3129


BUT, since neither of them was actually a reverse-proxy the answer of
how to merge a reverse-proxy and a forward-proxy would be quite different.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to combine two proxies into one?

Peng Yu
On Thu, Feb 15, 2018 at 3:31 AM, Amos Jeffries <[hidden email]> wrote:

> On 15/02/18 17:00, Peng Yu wrote:
>> Hi,
>>
>> Here are the conf files for two proxies. The first is a reverse proxy
>> (proxied on server1 and server2) and the second is a forward proxy. Is
>> there a way to combine the two into one (supporting both 3129 and
>> 3128)? Thanks.
>
> One Squid can accept traffic in multiple modes, just by adding the
> appropriate *_port lines for each type/mode of traffic.
>
> However, if you are talking about the same setup as your last threads
> described the first proxy is *not* doing proper / normal reverse-proxy.
> From what I understand in those setups you are relying on the traffic
> being warped into forward-proxy syntax by the frontend and leaving the
> domain routing to the backend - which lacks the appropriate security
> checks to handle reverse-proxy needs.
>
>
> In regards to your posted config files. Skipping the lines which are not
> actual default configuration you are left with these:
>
>>
>> $ grep -v '^#' squid.conf|grep -v '^$'
>> http_port 3129
>
> This is not a reverse-proxy. That is declared by the "accel" mode flag
> being set - which is not present here.
>
>
>> cache_peer server1 parent 3128 0 round-robin no-query
>> cache_peer server2 parent 3128 0 round-robin no-query
>> coredump_dir /usr/local/var/cache/squid
>>
>
>> $ grep -v '^#' squid.conf|grep -v '^$'
>> http_port 3128
>
> This is also not a reverse-proxy.
>
>> coredump_dir /var/spool/squid3
>> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
>
> To combine the above two configurations take the second one and add this
> line:
>   http_port 3129
>
>
> BUT, since neither of them was actually a reverse-proxy the answer of
> how to merge a reverse-proxy and a forward-proxy would be quite different.

I finally figure a configure that works. localhost:3128 is forward to
both server1:3128 and server2:3128. localhost:3129 directly goes to
the external network. Let me know if there is anything wrong with it.

Also, this only works for http. For https, localhost:3128 still
directly goes to the external network. Do you know how to modify the
following configuration to configure for https?

acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3129
acl port_3128_acl myportname 3128
cache_peer server1 parent 3128 0 round-robin no-query name=proxy3128
cache_peer_access proxy3128 allow port_3128_acl
cache_peer server2 parent 3128 0 round-robin no-query name=proxy1_3128
cache_peer_access proxy1_3128 allow port_3128_acl
cache_peer_access proxy3128 deny all
forwarded_for    delete
coredump_dir /usr/local/var/cache/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320


--
Regards,
Peng
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to combine two proxies into one?

Amos Jeffries
Administrator
On 17/02/18 14:37, Peng Yu wrote:
> On Thu, Feb 15, 2018 at 3:31 AM, Amos Jeffries wrote:
>>
>> BUT, since neither of them was actually a reverse-proxy the answer of
>> how to merge a reverse-proxy and a forward-proxy would be quite different.
>
> I finally figure a configure that works. localhost:3128 is forward to
> both server1:3128 and server2:3128. localhost:3129 directly goes to
> the external network. Let me know if there is anything wrong with it.
>

see my response to your other thread where you asked why that config was
not actually working.

> Also, this only works for http. For https, localhost:3128 still
> directly goes to the external network. Do you know how to modify the
> following configuration to configure for https?
>

For forward-proxy of HTTPS traffic (aka CONNECT messages) you need to
configure one of:

 nonheirarchical_direct off
or
  never_direct allow CONNECT

otherwise Squid performs the more efficient DIRECT routing for the tunnel.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users