Proxy AND reverse proxy

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Proxy AND reverse proxy

bret.jerome
Hi,

I use squid-2.6.STABLE5-NT as a proxy for my organisation.
There are no problem.
Now, i want to use squid as a reverse proxy, for my website.
The site what i want to publish is on a IIS6 and SSL.
In the intranet, the direct connection to the site is
https://172.17.1.1/SITE/

This is my squid config :
http_port 3128 # for the proxy cache
httpd_accel_host 172.17.1.1 # IP address of web server
httpd_accel_port 443 # Port of web server
httpd_accel_single_host on # Forward uncached requests to
single host httpd_accel_with_proxy on
httpd_accel_uses_host_header off

When i try https://my.public.ip/SITE/
I have a error

Could you help me ?
Thanks

Jérôme

Créez votre adresse électronique [hidden email]
1 Go d'espace de stockage, anti-spam et anti-virus intégrés.

Reply | Threaded
Open this post in threaded view
|

Re: Proxy AND reverse proxy

Henrik Nordström
ons 2007-05-30 klockan 15:58 +0200 skrev bret.jerome:

> I use squid-2.6.STABLE5-NT as a proxy for my organisation.
> There are no problem.
> Now, i want to use squid as a reverse proxy, for my website.
> The site what i want to publish is on a IIS6 and SSL.
> In the intranet, the direct connection to the site is
> https://172.17.1.1/SITE/
>
> This is my squid config :
> http_port 3128 # for the proxy cache
> httpd_accel_host 172.17.1.1 # IP address of web server
> httpd_accel_port 443 # Port of web server
> httpd_accel_single_host on # Forward uncached requests to
> single host httpd_accel_with_proxy on
> httpd_accel_uses_host_header off
The above is for Squid-2.5, and additionally won't do what you are
after.. (2.5 can't).

For Squid-2.6 see the FAQ. Much simpler, and fully capable of doing what
you are after. For https you need to use the https_port directive, which
requires a usable SSL certificate (and key).

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Proxy AND reverse proxy

bret.jerome
In reply to this post by bret.jerome
OK Thanks
For simplified, i try to work with a no ssl site and if it
work i try ssl

I do this in my squid.conf :
http_port 3128 accel defaultsite=SITE
cache_peer 172.17.0.1 parent 80 0 no-query originserver

But I am a error when i try to launch squid :
FATAL: Bungled squid.conf line 332: http_port 3128 accel
defaultsite=SITE
Squid Cache (Version 2.6.STABLE5-NT): Terminated abnormally.

In resume, my squid work fine in proxy cache mode. This the conf :
http_port 3128   # for proxy cache
cache_peer localhost parent 8080 0 default no-query     # for
use a proxy antivirus

auth_param basic program c:/squid/libexec/squid_ldap_auth.exe
-R -b ......    # for identified my user
auth_param basic children 5
auth_param basic realm Authentification
auth_param basic credentialsttl 30 second

acl MONRESEAU src 172.17.0.0/255.255.0.0
acl AUTHENT proxy_auth REQUIRED
...
http_access allow MONRESEAU AUTHENT
http_access deny all

In firefox, the proxy config is IP : 192.168.150.1  and port :
3128

Squid is on a server in DMZ.
I have open route and ACL in the firewall
My site in intranet http://172.17.0.1/SITE/ work fine
Now I want to access to this site on internet like this :
http://PU.BL.IC.IP/SITE/
How to do this ?
Thanks.

Jérôme

PS : sorry for my poor english... ;-)


-----Message d'origine-----
De : Henrik Nordstrom [mailto:[hidden email]]
Envoyé : mercredi 30 mai 2007 20:10
À : bret.jerome
Cc : squid-users
Objet : Re: [squid-users] Proxy AND reverse proxy

ons 2007-05-30 klockan 15:58 +0200 skrev bret.jerome:

> I use squid-2.6.STABLE5-NT as a proxy for my organisation.
> There are no problem.
> Now, i want to use squid as a reverse proxy, for my website.
> The site what i want to publish is on a IIS6 and SSL.
> In the intranet, the direct connection to the site is
> https://172.17.1.1/SITE/
>
> This is my squid config :
> http_port 3128 # for the proxy cache
> httpd_accel_host 172.17.1.1 # IP address of web server
> httpd_accel_port 443 # Port of web server
httpd_accel_single_host on #
> Forward uncached requests to single host
httpd_accel_with_proxy on
> httpd_accel_uses_host_header off

The above is for Squid-2.5, and additionally won't do what you
are after.. (2.5 can't).

For Squid-2.6 see the FAQ. Much simpler, and fully capable of
doing what you are after. For https you need to use the
https_port directive, which requires a usable SSL certificate
(and key).

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

Regards
Henrik


Créez votre adresse électronique [hidden email]
1 Go d'espace de stockage, anti-spam et anti-virus intégrés.

Reply | Threaded
Open this post in threaded view
|

RE: Proxy AND reverse proxy

Henrik Nordström
tor 2007-05-31 klockan 18:31 +0200 skrev bret.jerome:

> OK Thanks
> For simplified, i try to work with a no ssl site and if it
> work i try ssl
>
> I do this in my squid.conf :
> http_port 3128 accel defaultsite=SITE
> cache_peer 172.17.0.1 parent 80 0 no-query originserver
>
> But I am a error when i try to launch squid :
> FATAL: Bungled squid.conf line 332: http_port 3128 accel
> defaultsite=SITE
> Squid Cache (Version 2.6.STABLE5-NT): Terminated abnormally.
See FAQ again.. and read the whole of "How do I set it up?".

Or upgrade to a more recent 2.6 version..

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Proxy AND reverse proxy

bret.jerome
In reply to this post by bret.jerome
I upgrade squid to version 2.6.STABLE13-NT

I do this in my squid.conf :
http_port 3128 accel defaultsite=SITE
cache_peer 172.17.0.1 parent 80 0 no-query originserver

No problem for start squid but when I try to access to my site
I have a Invalid request error...
Could you help me ?
Thanks

Jérôme

-----Message d'origine-----
De : Henrik Nordstrom [mailto:[hidden email]]
Envoyé : samedi 2 juin 2007 15:44
À : bret.jerome
Cc : squid-users
Objet : RE: [squid-users] Proxy AND reverse proxy

tor 2007-05-31 klockan 18:31 +0200 skrev bret.jerome:
> OK Thanks
> For simplified, i try to work with a no ssl site and if it
work i try
> ssl
>
> I do this in my squid.conf :
> http_port 3128 accel defaultsite=SITE
> cache_peer 172.17.0.1 parent 80 0 no-query originserver
>
> But I am a error when i try to launch squid :
> FATAL: Bungled squid.conf line 332: http_port 3128 accel
> defaultsite=SITE Squid Cache (Version 2.6.STABLE5-NT):
Terminated
> abnormally.

See FAQ again.. and read the whole of "How do I set it up?".

Or upgrade to a more recent 2.6 version..

Regards
Henrik


Créez votre adresse électronique [hidden email]
1 Go d'espace de stockage, anti-spam et anti-virus intégrés.

Reply | Threaded
Open this post in threaded view
|

RE: Proxy AND reverse proxy

Henrik Nordström
ons 2007-06-06 klockan 18:30 +0200 skrev bret.jerome:
> I upgrade squid to version 2.6.STABLE13-NT
>
> I do this in my squid.conf :
> http_port 3128 accel defaultsite=SITE
> cache_peer 172.17.0.1 parent 80 0 no-query originserver
>
> No problem for start squid but when I try to access to my site
> I have a Invalid request error...

You run your site on port 3128?

Are you sure you don't have another http_port 80 line, missing the
defaultsite?

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Proxy AND reverse proxy

Henrik Nordström
In reply to this post by bret.jerome
tor 2007-06-07 klockan 09:53 +0200 skrev bret.jerome:
> My site run on port 80 on the 172.17.0.1
> But my proxy cache squid run on port 3128 on 192.168.150.1
> In my squid.conf, i have just this 2 lines :
> http_port 3128    # for proxy cache
> http_port 3128 accel defaultsite=SITE    # for accelerator proxy
>
> I don't understand what is the defaultsite... The IP address
> of the server ? the name of the server ?


You can't have two http_port with the exact same port (at least not
without also binding them to different IPs  on the server)

What I would expect your configuration to look like is something like
the following:

http_port 80 accel defaultsite=your.web.site

http_port 3128


This to make Squid act as a reverse proxy for your.web.site on port 80,
and a forward Internet proxy on port 3128.

Regards
Henrik


signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Proxy AND reverse proxy

bret.jerome
In reply to this post by bret.jerome
OK, I have in my squid.conf :
http_port 80 accel defaultsite=your.web.site
http_port 3128

But I don't understand what is the defaultsite.
I don't have an domain name.
I want to access to my site like this :
http://123.123.123.123/SITE/

In this case, what's the defaultsite ?
Thanks a lot.

Jérôme

-----Message d'origine-----
De : Henrik Nordstrom [mailto:[hidden email]]
Envoyé : jeudi 7 juin 2007 10:45
À : bret.jerome
Cc : squid-users
Objet : RE: [squid-users] Proxy AND reverse proxy

tor 2007-06-07 klockan 09:53 +0200 skrev bret.jerome:
> My site run on port 80 on the 172.17.0.1 But my proxy cache
squid run
> on port 3128 on 192.168.150.1 In my squid.conf, i have just
this 2
> lines :
> http_port 3128    # for proxy cache
> http_port 3128 accel defaultsite=SITE    # for accelerator proxy
>
> I don't understand what is the defaultsite... The IP address
of the
> server ? the name of the server ?


You can't have two http_port with the exact same port (at
least not without also binding them to different IPs  on the
server)

What I would expect your configuration to look like is
something like the following:

http_port 80 accel defaultsite=your.web.site

http_port 3128


This to make Squid act as a reverse proxy for your.web.site on
port 80, and a forward Internet proxy on port 3128.

Regards
Henrik



Créez votre adresse électronique [hidden email]
1 Go d'espace de stockage, anti-spam et anti-virus intégrés.

Reply | Threaded
Open this post in threaded view
|

RE: Proxy AND reverse proxy

Henrik Nordström
tor 2007-06-07 klockan 14:57 +0200 skrev bret.jerome:

> OK, I have in my squid.conf :
> http_port 80 accel defaultsite=your.web.site
> http_port 3128
>
> But I don't understand what is the defaultsite.
> I don't have an domain name.
> I want to access to my site like this :
> http://123.123.123.123/SITE/
>
> In this case, what's the defaultsite ?

123.123.123.123, if that's the official site name the browsers should
see..

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Proxy AND reverse proxy

bret.jerome
OK, for the moment the defaultsite is my public ip address

This my squid.conf :
http_port 3128     # for proxy cache
cache_peer localhost parent 8080 0 default no-query     # for proxy cache
antivirus

http_port 80 accel defaultsite=123.123.123.123          # for reverse proxy
cache_peer 172.17.1.1 parent 80 0 no-query originserver    # internal server
for reverse proxy

When i try to access to http://123.123.123.123/SITE on Internet
I have an ERR_ACCESS_DENIED error !

Could help me ?
Thanks

Jérôme

-----Message d'origine-----
De : Henrik Nordstrom [mailto:[hidden email]]
Envoyé : jeudi 7 juin 2007 15:19
À : bret.jerome
Cc : squid-users
Objet : RE: [squid-users] Proxy AND reverse proxy

tor 2007-06-07 klockan 14:57 +0200 skrev bret.jerome:
> OK, I have in my squid.conf :
> http_port 80 accel defaultsite=your.web.site http_port 3128
>
> But I don't understand what is the defaultsite.
> I don't have an domain name.
> I want to access to my site like this :
> http://123.123.123.123/SITE/
>
> In this case, what's the defaultsite ?


123.123.123.123, if that's the official site name the browsers should see..

Regards
Henrik

Reply | Threaded
Open this post in threaded view
|

RE: Proxy AND reverse proxy

Henrik Nordström
fre 2007-06-08 klockan 14:00 +0200 skrev Jerome:

> OK, for the moment the defaultsite is my public ip address
>
> This my squid.conf :
> http_port 3128     # for proxy cache
> cache_peer localhost parent 8080 0 default no-query     # for proxy cache
> antivirus
>
> http_port 80 accel defaultsite=123.123.123.123          # for reverse proxy
> cache_peer 172.17.1.1 parent 80 0 no-query originserver    # internal server
> for reverse proxy
>
> When i try to access to http://123.123.123.123/SITE on Internet
> I have an ERR_ACCESS_DENIED error !
What do your http_access rules look like? You need to allow all access
to the 123.123.123.123 destination..

You also need a bit of cache_peer_access to tell Squid when each of the
peers should be used.

acl mysite dstdomain 123.123.123.123
cache_peer_access localhost deny mysite
cache_peer_access 172.17.1.1 allow mysite

Regards
Henrik

signature.asc (316 bytes) Download Attachment