Problem with Squid 2.6 as reverse proxy

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with Squid 2.6 as reverse proxy

Santiago Del Castillo-3
Hi, I'm having problems configuren Squid 2.6 RELEASE13 as reverse proxy

here's what i get:

access.log:

1181084915.474      2 xxx.xxx.xxx.xxx TCP_MISS/503 1663 GET
http://XXXXXXXX.com//styles/best.css - NONE/- text/html
1181084915.477      2 xxx.xxx.xxx.xxx TCP_MISS/503 1669 GET
http://XXXXXXXX.com//images/favicon.ico - NONE/- text/html
1181084915.855      3 xxx.xxx.xxx.xxx TCP_MISS/503 1665 GET
http://XXXXXXXX.com//styles/stars.css - NONE/- text/html
1181084916.238      3 xxx.xxx.xxx.xxx TCP_MISS/503 1667 GET
http://XXXXXXXX.com//styles/alerts.css - NONE/- text/html
1181084916.619      3 xxx.xxx.xxx.xxx TCP_MISS/503 1671 GET
http://XXXXXXXX.com//styles/register.css - NONE/- text/html


cache.log:

2007/06/05 18:08:35| Failed to select source for
'http://XXXXXXXX.com//styles/best.css'
2007/06/05 18:08:35|   always_direct = 0
2007/06/05 18:08:35|    never_direct = 0
2007/06/05 18:08:35|        timedout = 0
2007/06/05 18:08:35| Failed to select source for
'http://XXXXXXXX.com//images/favicon.ico'
2007/06/05 18:08:35|   always_direct = 0
2007/06/05 18:08:35|    never_direct = 0
2007/06/05 18:08:35|        timedout = 0
2007/06/05 18:08:35| Failed to select source for
'http://XXXXXXXX.com//styles/stars.css'
2007/06/05 18:08:35|   always_direct = 0
2007/06/05 18:08:35|    never_direct = 0
2007/06/05 18:08:35|        timedout = 0
2007/06/05 18:08:36| Failed to select source for
'http://XXXXXXXX.com//styles/alerts.css'
2007/06/05 18:08:36|   always_direct = 0
2007/06/05 18:08:36|    never_direct = 0
2007/06/05 18:08:36|        timedout = 0
2007/06/05 18:08:36| Failed to select source for
'http://XXXXXXXX.com//styles/register.css'
2007/06/05 18:08:36|   always_direct = 0
2007/06/05 18:08:36|    never_direct = 0
2007/06/05 18:08:36|        timedout = 0



Here's my conf:


http_port 80 vhost accel
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 32 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
maximum_object_size_in_memory 4096 KB
cache_dir aufs /var/spool/squid 100 16 256
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
dns_nameservers xxx.xxx.xxx.xxx
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
half_closed_clients off
acl RP src xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 80
acl CONNECT method CONNECT
acl AllowedSites dstdomain "/etc/squid/allowed_sites"
acl DeniedSites url_regex "/etc/squid/denied_sites"
http_access allow AllowedSites !DeniedSites
http_access allow RP
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
http_reply_access allow all
icp_access allow all
miss_access allow all
cache_effective_user squid
cache_effective_group squid
logfile_rotate 4
coredump_dir /var/spool/squid
client_persistent_connections off
server_persistent_connections off
persistent_connection_after_error off


if i set always_direct allow all it works. But the problem is that
this squid will be used as sibling :(

If you need more info, just ask.


Cheers!
Santiago
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Squid 2.6 as reverse proxy

Guillaume Smet
On 6/6/07, Santiago Del Castillo <[hidden email]> wrote:
> if i set always_direct allow all it works. But the problem is that
> this squid will be used as sibling :(

It's normal. I don't see any cache_peer in your configuration file.

--
Guillaume
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Squid 2.6 as reverse proxy

Santiago Del Castillo-3
Becasue i'm  not setting as sibling right now. First i want to make it
work as virtual host reverse proxy. Once working i'll set it as
sibling squid.

Cheers!
Santiago

On 6/6/07, Guillaume Smet <[hidden email]> wrote:
> On 6/6/07, Santiago Del Castillo <[hidden email]> wrote:
> > if i set always_direct allow all it works. But the problem is that
> > this squid will be used as sibling :(
>
> It's normal. I don't see any cache_peer in your configuration file.
>
> --
> Guillaume
>
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Squid 2.6 as reverse proxy

Guillaume Smet
On 6/6/07, Santiago Del Castillo <[hidden email]> wrote:
> Becasue i'm  not setting as sibling right now. First i want to make it
> work as virtual host reverse proxy. Once working i'll set it as
> sibling squid.

You have to set a parent cache_peer anyway. Squid 2.6 is a bit
different than 2.5 for that.

So define a parent cache peer and add sibling when you want it.

For example, I have something like:
cache_peer X.X.X.X parent 80 0 no-query no-digest no-netdb-exchange
no-delay originserver
which is my Apache server
then I have:
cache_peer X.X.X.X sibling 8080 3130 no-digest no-netdb-exchange no-delay
for the sibling reverse proxy.

HTH.

--
Guillaume
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Squid 2.6 as reverse proxy

Santiago Del Castillo-3
But a lot (more than one houndred) vhosts will point to this squid and
not everyone point to the same server, how do I specify which domain
goes to which origin? Do I have to set it one by one by hand? :-/

Cheers!
Santiago

On 6/6/07, Guillaume Smet <[hidden email]> wrote:

> On 6/6/07, Santiago Del Castillo <[hidden email]> wrote:
> > Becasue i'm  not setting as sibling right now. First i want to make it
> > work as virtual host reverse proxy. Once working i'll set it as
> > sibling squid.
>
> You have to set a parent cache_peer anyway. Squid 2.6 is a bit
> different than 2.5 for that.
>
> So define a parent cache peer and add sibling when you want it.
>
> For example, I have something like:
> cache_peer X.X.X.X parent 80 0 no-query no-digest no-netdb-exchange
> no-delay originserver
> which is my Apache server
> then I have:
> cache_peer X.X.X.X sibling 8080 3130 no-digest no-netdb-exchange no-delay
> for the sibling reverse proxy.
>
> HTH.
>
> --
> Guillaume
>
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Squid 2.6 as reverse proxy

Henrik Nordström
In reply to this post by Santiago Del Castillo-3
ons 2007-06-06 klockan 15:38 -0300 skrev Santiago Del Castillo:
> Hi, I'm having problems configuren Squid 2.6 RELEASE13 as reverse proxy

> cache.log:
>
> 2007/06/05 18:08:35| Failed to select source for
> 'http://XXXXXXXX.com//styles/best.css'
> 2007/06/05 18:08:35|   always_direct = 0
> 2007/06/05 18:08:35|    never_direct = 0
> 2007/06/05 18:08:35|        timedout = 0

You need a cache_peer telling Squid where to forward the requests.

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Squid 2.6 as reverse proxy

Henrik Nordström
In reply to this post by Santiago Del Castillo-3
ons 2007-06-06 klockan 18:22 -0300 skrev Santiago Del Castillo:
> But a lot (more than one houndred) vhosts will point to this squid and
> not everyone point to the same server, how do I specify which domain
> goes to which origin? Do I have to set it one by one by hand? :-/

http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-c073a2271a01dac8f222cff894d358707fd497ec

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Squid 2.6 as reverse proxy

Santiago Del Castillo-3
In reply to this post by Henrik Nordström
Hi henrik,

One question: can wildcards be used on cache_peer_access?? Because
i've 100 domains (www1.example.com, www2.example.com ...
www*.example.com) forwarded to one specific origin server and it could
be great if i could use www*.example.com  on cache_peer_access rule

Also that may change and i've to forward from www1 to www50 to other
origin server... How should I do that in a few lines and not more than
50?

Thanks!!
Santiago


On 6/6/07, Henrik Nordstrom <[hidden email]> wrote:

> ons 2007-06-06 klockan 15:38 -0300 skrev Santiago Del Castillo:
> > Hi, I'm having problems configuren Squid 2.6 RELEASE13 as reverse proxy
>
> > cache.log:
> >
> > 2007/06/05 18:08:35| Failed to select source for
> > 'http://XXXXXXXX.com//styles/best.css'
> > 2007/06/05 18:08:35|   always_direct = 0
> > 2007/06/05 18:08:35|    never_direct = 0
> > 2007/06/05 18:08:35|        timedout = 0
>
> You need a cache_peer telling Squid where to forward the requests.
>
> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>
> Regards
> Henrik
>
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Squid 2.6 as reverse proxy

Henrik Nordström
ons 2007-06-06 klockan 19:34 -0300 skrev Santiago Del Castillo:
> Hi henrik,
>
> One question: can wildcards be used on cache_peer_access?? Because
> i've 100 domains (www1.example.com, www2.example.com ...
> www*.example.com) forwarded to one specific origin server and it could
> be great if i could use www*.example.com  on cache_peer_access rule

Yes, using the dstdom_regex acl in cache_peer_access. Or if it's the
whole domain then use a dstdomain acl .example.com

> Also that may change and i've to forward from www1 to www50 to other
> origin server... How should I do that in a few lines and not more than
> 50?

1 to 50 is ([1-9]|[1-4][0-9]|50) in regex, so www(1-50).example.com
becomes

  ^www\([1-9]|[1-4][0-9]|50\)\.example\.com$

But you can also use the dstdomain acl, with a list of all domains. Or
exclusions using !acl in cache_peer_access.

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Squid 2.6 as reverse proxy

Santiago Del Castillo-3
That didn't work well

I used \([1-9]|[1-4][0-9]|50\) and saw:

2007/06/07 18:23:10| Failed to select source for
'http://www2.xxxxxx.com/2/AF/AA/Sol/last_photo.jpg'
2007/06/07 18:23:10|   always_direct = 0
2007/06/07 18:23:10|    never_direct = 0
2007/06/07 18:23:10|        timedout = 0

The pattern I found is that it just fails with units ([1-9]) the rest
works OK. What it could be?

Tried to use [123456789] and it also fails.

Cheers,
Santiago

On 6/7/07, Henrik Nordstrom <[hidden email]> wrote:

> ons 2007-06-06 klockan 19:34 -0300 skrev Santiago Del Castillo:
> > Hi henrik,
> >
> > One question: can wildcards be used on cache_peer_access?? Because
> > i've 100 domains (www1.example.com, www2.example.com ...
> > www*.example.com) forwarded to one specific origin server and it could
> > be great if i could use www*.example.com  on cache_peer_access rule
>
> Yes, using the dstdom_regex acl in cache_peer_access. Or if it's the
> whole domain then use a dstdomain acl .example.com
>
> > Also that may change and i've to forward from www1 to www50 to other
> > origin server... How should I do that in a few lines and not more than
> > 50?
>
> 1 to 50 is ([1-9]|[1-4][0-9]|50) in regex, so www(1-50).example.com
> becomes
>
>   ^www\([1-9]|[1-4][0-9]|50\)\.example\.com$
>
> But you can also use the dstdomain acl, with a list of all domains. Or
> exclusions using !acl in cache_peer_access.
>
> Regards
> Henrik
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Re: Problem with Squid 2.6 as reverse proxy

Santiago Del Castillo-3
Didn't work either :(

On 6/8/07, [hidden email] <[hidden email]> wrote:

> > That didn't work well
> >
> > I used \([1-9]|[1-4][0-9]|50\) and saw:
> >
> > 2007/06/07 18:23:10| Failed to select source for
> > 'http://www2.xxxxxx.com/2/AF/AA/Sol/last_photo.jpg'
> > 2007/06/07 18:23:10|   always_direct = 0
> > 2007/06/07 18:23:10|    never_direct = 0
> > 2007/06/07 18:23:10|        timedout = 0
> >
> > The pattern I found is that it just fails with units ([1-9]) the rest
> > works OK. What it could be?
> >
> > Tried to use [123456789] and it also fails.
> >
> > Cheers,
> > Santiago
> >
>
> Um, maybe something to do with branches in the match
> give this a test and see if it works better
>
>  \([1-4]\([0-9]\)?|50|[5-9]\)
>
> Amos
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Re: Problem with Squid 2.6 as reverse proxy

Chris Robertson-2
Santiago Del Castillo wrote:

>
> On 6/8/07, [hidden email] <[hidden email]> wrote:
>> > That didn't work well
>> >
>> > I used \([1-9]|[1-4][0-9]|50\) and saw:
>> >
>> > 2007/06/07 18:23:10| Failed to select source for
>> > 'http://www2.xxxxxx.com/2/AF/AA/Sol/last_photo.jpg'
>> > 2007/06/07 18:23:10|   always_direct = 0
>> > 2007/06/07 18:23:10|    never_direct = 0
>> > 2007/06/07 18:23:10|        timedout = 0
>> >
>> > The pattern I found is that it just fails with units ([1-9]) the rest
>> > works OK. What it could be?
>> >
>> > Tried to use [123456789] and it also fails.
>> >
>> > Cheers,
>> > Santiago
>> >
>>
>> Um, maybe something to do with branches in the match
>> give this a test and see if it works better
>>
>>  \([1-4]\([0-9]\)?|50|[5-9]\)
>>
>> Amos
> Didn't work either :(

Please don't post your replies at the top of the message.  It makes the
archives hard to read.

To be perfectly clear, can you repost your squid.conf  (minus comments
and blank lines*)?  Perhaps there is a different configuration issue at
play.

Chris

* From a Unix-like host the following line (with the proper path to your
squid.conf) will manage this:

grep -v "^#" /path/to/squid.conf | sed -e '/^$/d'
Reply | Threaded
Open this post in threaded view
|

Re: Re: Problem with Squid 2.6 as reverse proxy

Jenn G.
2007/6/9, Chris Robertson <[hidden email]>:
>
> grep -v "^#" /path/to/squid.conf | sed -e '/^$/d'
>

I use,
perl -ne 'next if /^$|^#/;print' squid.conf
:-)
Reply | Threaded
Open this post in threaded view
|

Re: Re: Problem with Squid 2.6 as reverse proxy

Santiago Del Castillo-3
In reply to this post by Chris Robertson-2
On 6/8/07, Chris Robertson <[hidden email]> wrote:

> Santiago Del Castillo wrote:
> >
> > On 6/8/07, [hidden email] <[hidden email]> wrote:
> >> > That didn't work well
> >> >
> >> > I used \([1-9]|[1-4][0-9]|50\) and saw:
> >> >
> >> > 2007/06/07 18:23:10| Failed to select source for
> >> > 'http://www2.xxxxxx.com/2/AF/AA/Sol/last_photo.jpg'
> >> > 2007/06/07 18:23:10|   always_direct = 0
> >> > 2007/06/07 18:23:10|    never_direct = 0
> >> > 2007/06/07 18:23:10|        timedout = 0
> >> >
> >> > The pattern I found is that it just fails with units ([1-9]) the rest
> >> > works OK. What it could be?
> >> >
> >> > Tried to use [123456789] and it also fails.
> >> >
> >> > Cheers,
> >> > Santiago
> >> >
> >>
> >> Um, maybe something to do with branches in the match
> >> give this a test and see if it works better
> >>
> >>  \([1-4]\([0-9]\)?|50|[5-9]\)
> >>
> >> Amos
> > Didn't work either :(
>
> Please don't post your replies at the top of the message.  It makes the
> archives hard to read.
>
> To be perfectly clear, can you repost your squid.conf  (minus comments
> and blank lines*)?  Perhaps there is a different configuration issue at
> play.
>
>
> * From a Unix-like host the following line (with the proper path to your
> squid.conf) will manage this:
>
> grep -v "^#" /path/to/squid.conf | sed -e '/^$/d'
>

Hi chris

didn't know that about posting on top of the message. Sorry about that!

I fixed the problem by usen visual REGEXP to make the regexp and I
deleted the backslashes from the parentheses... here's what I got and
works great:

acl flodeo dstdom_regex ^www(6|7|8|9|[1234][0123456789]?|50?)\.example\.com$


Thank you all for the help!!

Santiago