Squid as reverse proxy for two or more webs

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid as reverse proxy for two or more webs

erdosain9
Hi to all.
I was reading several tutorials and I can not find what I'm doing wrong.
I want to use squid to redirect to these two sites that are both within my
domain.

In my internal dns I have declared both servers, with their corresponding
ips, also squid.

reverse.mydomain.lan 192.168.1.21 (SQUID)

php.mydomain.lan 192.168.1.223
ticket.mydomain.lan 192.168.1.246

In addition to the internal DNS, I have the / etc / hosts configured with
these values:
[root@squidReverse ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
#::1         localhost localhost.localdomain localhost6
localhost6.localdomain6
192.168.1.21  reverse.mydomain.lan
192.168.1.246 ticket.mydomain.lan
192.168.1.223 php.mydomain.lan


This is the configuration of the squid referring to the reverse proxy:

http_port 192.168.1.21:80 accel vhost

cache_peer 192.168.1.246 parent 80 0 proxy-only name=ticket
cache_peer 192.168.1.223 parent 80 0 proxy-only name=php

acl ticket_acl dstdomain .MYDOMAIN.lan
http_access allow ticket_acl
cache_peer_access ticket allow ticket_acl


acl php_acl dstdomain .MYDOMAIN.lan
http_access allow php_acl
cache_peer_access php allow php_acl

With this config when i go to reverse.mydomain.lan (from a web browser) i
get the ticket web, but how i can go to the second web?? php web??

I dont get it. if i go to ticket.reverse.mydomain.lan i dont nothing, It
does not even come to squid, neither with php.reverse.mydomian.lan

Thanks to all.






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

Sticher, Jascha
Hi,

> acl ticket_acl dstdomain .MYDOMAIN.lan
This matches *.mydomain.lan - php.mydomain.lan as well as ticket.mydomain.lan

As the configuration is used top-to-bottom, the first of the cache_peers will be used (as only one parent is used).

Use more specific ACLs to mitigate this:

acl ticket_acl dstdomain ticket.MYDOMAIN.lan
acl php_acl dstdomain php.MYDOMAIN.lan


Kind regards,
Jascha


-----Urspr√ľngliche Nachricht-----
Von: squid-users <[hidden email]> Im Auftrag von erdosain9
Gesendet: Freitag, 10. August 2018 15:15
An: [hidden email]
Betreff: [squid-users] Squid as reverse proxy for two or more webs

Hi to all.
I was reading several tutorials and I can not find what I'm doing wrong.
I want to use squid to redirect to these two sites that are both within my
domain.

In my internal dns I have declared both servers, with their corresponding
ips, also squid.

reverse.mydomain.lan 192.168.1.21 (SQUID)

php.mydomain.lan 192.168.1.223
ticket.mydomain.lan 192.168.1.246

In addition to the internal DNS, I have the / etc / hosts configured with
these values:
[root@squidReverse ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
#::1         localhost localhost.localdomain localhost6
localhost6.localdomain6
192.168.1.21  reverse.mydomain.lan
192.168.1.246 ticket.mydomain.lan
192.168.1.223 php.mydomain.lan


This is the configuration of the squid referring to the reverse proxy:

http_port 192.168.1.21:80 accel vhost

cache_peer 192.168.1.246 parent 80 0 proxy-only name=ticket
cache_peer 192.168.1.223 parent 80 0 proxy-only name=php

acl ticket_acl dstdomain .MYDOMAIN.lan
http_access allow ticket_acl
cache_peer_access ticket allow ticket_acl


acl php_acl dstdomain .MYDOMAIN.lan
http_access allow php_acl
cache_peer_access php allow php_acl

With this config when i go to reverse.mydomain.lan (from a web browser) i
get the ticket web, but how i can go to the second web?? php web??

I dont get it. if i go to ticket.reverse.mydomain.lan i dont nothing, It
does not even come to squid, neither with php.reverse.mydomian.lan

Thanks to all.






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

Amos Jeffries
Administrator
In reply to this post by erdosain9
On 11/08/18 01:15, erdosain9 wrote:

> Hi to all.
> I was reading several tutorials and I can not find what I'm doing wrong.
> I want to use squid to redirect to these two sites that are both within my
> domain.
>
> In my internal dns I have declared both servers, with their corresponding
> ips, also squid.
>
> reverse.mydomain.lan 192.168.1.21 (SQUID)
>

So "reverse.mydomain.lan" is the public name which your users/clients
are browsing ...


> php.mydomain.lan 192.168.1.223
> ticket.mydomain.lan 192.168.1.246

.. and clients never connect to the above directly. So these domains are
never to be accessed by users/clients.

If (as I suspect) the above statements are not true, then your naming is
the first thing that is wrong.

The domain name(s) which your clients access should point to the proxy.
There can be multiple.

>
> In addition to the internal DNS, I have the / etc / hosts configured with
> these values:
> [root@squidReverse ~]# cat /etc/hosts
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> #::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 192.168.1.21  reverse.mydomain.lan
> 192.168.1.246 ticket.mydomain.lan
> 192.168.1.223 php.mydomain.lan
>

These entries are not required when internal DNS is properly configured.

(FYI: Current Squid versions can also use multicast-DNS for LAN servers
if you use the standardized .local TLD for internal server names. That
is not related to your problem though.)

>
> This is the configuration of the squid referring to the reverse proxy:
>
> http_port 192.168.1.21:80 accel vhost
>
> cache_peer 192.168.1.246 parent 80 0 proxy-only name=ticket
> cache_peer 192.168.1.223 parent 80 0 proxy-only name=php
>
> acl ticket_acl dstdomain .MYDOMAIN.lan
> http_access allow ticket_acl
> cache_peer_access ticket allow ticket_acl
>
>
> acl php_acl dstdomain .MYDOMAIN.lan
> http_access allow php_acl
> cache_peer_access php allow php_acl
>
> With this config when i go to reverse.mydomain.lan (from a web browser) i
> get the ticket web, but how i can go to the second web?? php web??

Right now your ticket_acl and php_acl are exactly the same. So they are
telling Squid that both peers are providing identical content (ie both
are authoritative for anything inside *.mydomain.lan). The first of the
available peers will be used, unless it starts to overload then the
second will start receiving the traffic.


To send traffic to one of the peers and not the other you need some way
to distinguish between them.

Normally you would have the ticket.* and php.* domain names both
pointing at Squid (192.168.1.21) so your ACLs can check for and use the
domain name to identify which peer is supposed to receive it.

The cache_peer use raw-IP like you have, or a *different* server name
from DNS pointing at the particular peer which can serve the content
your ACLs let Squid send to it.

The config example you want to follow is
<https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers>.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

erdosain9
In reply to this post by Sticher, Jascha
Ok, thanks. I change that.

Now, if i go to reverse.mydomain.lan i get this error:

"Unable to forward this request at this time."

1533909140.268      0 192.168.6.20 TCP_IMS_HIT/304 355 GET
http://reverse.mydomain.lan/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png

but what would be the url that i have to wrote to go to each site??
(sorry my ignorance)

Thanks again






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

Antony Stone
On Friday 10 August 2018 at 15:54:01, erdosain9 wrote:

> Ok, thanks. I change that.

1. Changed what?

2. Show us your current DNS entries, and tell us which steps you followed from
https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers

> Now, if i go to reverse.mydomain.lan i get this error:

Why would you go to that address?

Surely you are trying to trying to get requests for:

php.mydomain.lan
ticket.mydomain.lan

to work?

3. What happens when you ask for those in your browser?


Antony.

--
What do you get when you cross a joke with a rhetorical question?

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

erdosain9
In reply to this post by Amos Jeffries

> php.mydomain.lan 192.168.1.223
> ticket.mydomain.lan 192.168.1.246

>.. and clients never connect to the above directly. So these domains are
>never to be accessed by users/clients.

The client can connect directly from the domain. (i mean they can connect
directly in work, but i want to do this (proxy reverse, for when they are at
home...) I dont public yet nothing of this, im trying to do it first inside
my network.

>If (as I suspect) the above statements are not true, then your naming is
>the first thing that is wrong.

Why?

>The domain name(s) which your clients access should point to the proxy.
>There can be multiple.

I dont get this.

>Right now your ticket_acl and php_acl are exactly the same. So they are
>telling Squid that both peers are providing identical content (ie both
>are authoritative for anything inside *.mydomain.lan). The first of the
>available peers will be used, unless it starts to overload then the
>second will start receiving the traffic.


>To send traffic to one of the peers and not the other you need some way
>to distinguish between them.

>Normally you would have the ticket.* and php.* domain names both
>pointing at Squid (192.168.1.21) so your ACLs can check for and use the
>domain name to identify which peer is supposed to receive it.

I create two entries pointing to squid in DNS now.
site1.mydomain.lan
site2.mydomain.lan

>The config example you want to follow is
>&lt;https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers&gt;.

I read that... but i dont get what im doing wrong.


this is the config now.

http_port 192.168.1.21:80 accel vhost


cache_peer 192.168.1.246 parent 80 0 proxy-only name=site1
cache_peer 192.168.1.223 parent 80 0 proxy-only name=site2


acl soporte_acl dstdomain ticket.MYDOMAIN.lan
http_access allow soporte_acl
cache_peer_access site1 allow soporte_acl


acl phplists_acl dstdomain php.MYDOMAIN.lan
http_access allow phplists_acl
cache_peer_access site2 allow phplists_acl

------------------------------------------------------------

But, i get this error

" Unable to forward this request at this time."

1533911112.071      1 192.168.6.20 TCP_MISS/500 4605 GET
http://site1.MYDOMAIN.lan/ - HIER_NONE/- text/html
1533911112.193      0 192.168.6.20 TCP_MEM_HIT_ABORTED/200 4274 GET
http://reverse.MYDOMAIN.lan/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png
1533911124.117      0 192.168.6.20 TCP_MISS/500 4605 GET
http://site2.MYDOMAIN.lan/ - HIER_NONE/- text/html
1533911124.217      0 192.168.6.20 TCP_MEM_HIT_ABORTED/200 4274 GET
http://reverse.MYDOMAIN.lan/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png

Thanks to all.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

Antony Stone
On Friday 10 August 2018 at 16:26:31, erdosain9 wrote:

> > php.mydomain.lan 192.168.1.223
> > ticket.mydomain.lan 192.168.1.246
> >
> >.. and clients never connect to the above directly. So these domains are
> >never to be accessed by users/clients.
>
> The client can connect directly from the domain. (i mean they can connect
> directly in work, but i want to do this (proxy reverse, for when they are
> at home...) I dont public yet nothing of this, im trying to do it first
> inside my network.

Ah, it might have been helpful for you to mention that in the first place.

> >If (as I suspect) the above statements are not true, then your naming is
> >the first thing that is wrong.
>
> Why?

Because the name the clients connect to myst resolve to the IP address of
Squid, for it work as a reverse proxy.

> >The domain name(s) which your clients access should point to the proxy.
> >There can be multiple.
>
> I dont get this.

If name.domain.lan points to 10.20.30.40, then a client browser requesting
http://name.domain.lan will start talking to machine 10.20.30.40

If you want that to be the real server, that's fine.

If you want that machine to be squid acting as a reverse proxy, that's fine
too.

The point is that the IP address must point to the machine you want the client
to connect to.

> >Right now your ticket_acl and php_acl are exactly the same. So they are
> >telling Squid that both peers are providing identical content (ie both
> >are authoritative for anything inside *.mydomain.lan). The first of the
> >available peers will be used, unless it starts to overload then the
> >second will start receiving the traffic.
> >
> >
> >To send traffic to one of the peers and not the other you need some way
> >to distinguish between them.
> >
> >Normally you would have the ticket.* and php.* domain names both
> >pointing at Squid (192.168.1.21) so your ACLs can check for and use the
> >domain name to identify which peer is supposed to receive it.
>
> I create two entries pointing to squid in DNS now.
> site1.mydomain.lan
> site2.mydomain.lan

So, both of those resolve to 192.168.1.21, right?

> > The config example you want to follow is
> > https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers

>
> I read that... but i dont get what im doing wrong.

You want to follow the section:

Switching on Domains

Using cache_peer_access:

cache_peer ip.of.server1 parent 80 0 no-query originserver name=server_1
acl sites_server_1 dstdomain www.example.com example.com
cache_peer_access server_1 allow sites_server_1

> this is the config now.
>
> http_port 192.168.1.21:80 accel vhost
>
> cache_peer 192.168.1.246 parent 80 0 proxy-only name=site1
> cache_peer 192.168.1.223 parent 80 0 proxy-only name=site2

You are missing "originserver" at the very least.  Otherwise Squid expects to
find another proxy at the IP address.

> acl soporte_acl dstdomain ticket.MYDOMAIN.lan
> http_access allow soporte_acl
> cache_peer_access site1 allow soporte_acl
>
> acl phplists_acl dstdomain php.MYDOMAIN.lan
> http_access allow phplists_acl
> cache_peer_access site2 allow phplists_acl
>
> ------------------------------------------------------------
>
> But, i get this error
>
> " Unable to forward this request at this time."

...when you requested what as a URL?

> 1533911112.071      1 192.168.6.20 TCP_MISS/500 4605 GET
> http://site1.MYDOMAIN.lan/ - HIER_NONE/- text/html

Looks like you entered "site1.mydomain.lan" into your browser.

Try "ticket.mydomain.lan" (after correcting the above config problems) instead.

> 1533911112.193      0 192.168.6.20 TCP_MEM_HIT_ABORTED/200 4274 GET
> http://reverse.MYDOMAIN.lan/squid-internal-static/icons/SN.png -
> HIER_NONE/- image/png
> 1533911124.117      0 192.168.6.20 TCP_MISS/500 4605 GET
> http://site2.MYDOMAIN.lan/ - HIER_NONE/- text/html
> 1533911124.217      0 192.168.6.20 TCP_MEM_HIT_ABORTED/200 4274 GET
> http://reverse.MYDOMAIN.lan/squid-internal-static/icons/SN.png -
> HIER_NONE/- image/png


Antony.

--
Salad is what food eats.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

erdosain9
This post was updated on .
Antony Stone wrote
>> I create two entries pointing to squid in DNS now.
>> site1.mydomain.lan
>> site2.mydomain.lan
>
> So, both of those resolve to 192.168.1.21, right?
 
 Yes, the resolve to the ip of squid.
 
>> > The config example you want to follow is
>> > https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers
>
>>
>> I read that... but i dont get what im doing wrong.
>
> You want to follow the section:
>
> Switching on Domains
>
> Using cache_peer_access:
>
> cache_peer ip.of.server1 parent 80 0 no-query originserver name=server_1
> acl sites_server_1 dstdomain www.example.com example.com
> cache_peer_access server_1 allow sites_server_1
>
>> this is the config now.
>>
>> http_port 192.168.1.21:80 accel vhost
>>
>> cache_peer 192.168.1.246 parent 80 0 proxy-only name=site1
>> cache_peer 192.168.1.223 parent 80 0 proxy-only name=site2
>
> You are missing "originserver" at the very least.  Otherwise Squid expects
> to
> find another proxy at the IP address.
 
 Oh, sorry. I try with that config too. anyway i dont know about that.
 thanks.
 
> ...when you requested what as a URL?
> site1.mydomain.lan
>
>> 1533911112.071      1 192.168.6.20 TCP_MISS/500 4605 GET
>> http://site1.MYDOMAIN.lan/ - HIER_NONE/- text/html
>
> Looks like you entered "site1.mydomain.lan" into your browser.
 
 Yep.
 
> Try "ticket.mydomain.lan" (after correcting the above config problems)
> instead.
 
 Well, if if put ticket.mydomain.lan i go directly to the server i want to
 go.
 
 This is:
 
 ticket.mydomian.lan ----------------------------> Server  1
 php.mydomian.lan ------------------------------> Server 2
 
 site1.mydomain.lan --------------------------------> squid
 site2.mydomian.lan --------------------------------> squid
 
 for my config i expect that when squid receive site1 go to
 ticket.mydomain.lan
 and for site2 go to php.mydomain.lan
 
Thanks to all.





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

Amos Jeffries
Administrator
On 11/08/18 02:56, erdosain9 wrote:

> Antony Stone wrote
>>> I create two entries pointing to squid in DNS now.
>>> site1.mydomain.lan
>>> site2.mydomain.lan
>>
>> So, both of those resolve to 192.168.1.21, right?
>>
>> Yes, the resolve to the ip of squid.
>>
>>>> The config example you want to follow is
>>>> https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers
>>
>>>
>>> I read that... but i dont get what im doing wrong.
>>
>> You want to follow the section:
>>
>> Switching on Domains
>>
>> Using cache_peer_access:
>>
>> cache_peer ip.of.server1 parent 80 0 no-query originserver name=server_1
>> acl sites_server_1 dstdomain www.example.com example.com
>> cache_peer_access server_1 allow sites_server_1
>>
>>> this is the config now.
>>>
>>> http_port 192.168.1.21:80 accel vhost
>>>
>>> cache_peer 192.168.1.246 parent 80 0 proxy-only name=site1
>>> cache_peer 192.168.1.223 parent 80 0 proxy-only name=site2
>>
>> You are missing "originserver" at the very least.  Otherwise Squid expects
>> to
>> find another proxy at the IP address.
>>
>> Oh, sorry. I try with that config too. anyway i dont know about that.
>> thanks.
>>

You are also missing the ACL parts which determine which domain goes to
which cache_peer server.


>> ...when you requested what as a URL?
>> site1.mydomain.lan
>>
>>> 1533911112.071      1 192.168.6.20 TCP_MISS/500 4605 GET
>>> http://site1.MYDOMAIN.lan/ - HIER_NONE/- text/html
>>
>> Looks like you entered "site1.mydomain.lan" into your browser.
>>
>> Yep.
>>
>> Try "ticket.mydomain.lan" (after correcting the above config problems)
>> instead.
>>
> Well, if if put ticket.mydomain.lan i go directly to the server i want to
> go.
>

This is why the domain name you want the clients to contact to be
pointing at Squid, not the origin servers.

Squid passes on the domain name it received from the client. Examples
below using your current config ...


> This is:
>
> ticket.mydomian.lan ----------------------------> Server  1
> php.mydomian.lan ------------------------------> Server 2
>
> site1.mydomain.lan --------------------------------> squid
> site2.mydomian.lan --------------------------------> squid
>
> for my config i expect that when squid receive site1 go to
> ticket.mydomain.lan
> and for site2 go to php.mydomain.lan
>

Then site1.* and site2.* are the domains which those origin servers need
to be hosting - not ticket.* or php.*.

The request flow looks like this:

* client requests http://site1.mydomain.lan/ which goes to Squid because
A for that domain is Squid IP.

* Squid sends request for http://site1.mydomain.lan/ to server
ticket.mydomain.lan because cache_peer_access said it was allowed there.

* Server ticket.mydomain.lan receives request for
http://site1.mydomain.lan/ from Squid.


At no point does any URL or HTTP message contain "ticket.mydomain.lan".
I think this is where you are getting confused - thinking that the
origin server names mean something when they do not.

You do *not* need a domain DNS entries to point at the origin for that
origin to provide responses for it.


This is also why you need to test the setup which will actually be used
when the proxy is made to be "in production". Testing with fake domain
setup only ensures the fake domains work, the reals ones may be fatally
broken.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

erdosain9
Thanks to all!!
Now is working fine.

Just, one question to know... i make this accessible from the internet...
so, i create some acl 0.0.0.0/0 and it's working.
But.. this is a security issue??? or it's ok declare that ACL.
Thanks to all.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

Antony Stone
On Friday 10 August 2018 at 20:13:06, erdosain9 wrote:

> Thanks to all!!
> Now is working fine.
>
> Just, one question to know... i make this accessible from the internet...
> so, i create some acl 0.0.0.0/0 and it's working.
> But.. this is a security issue??? or it's ok declare that ACL.

If you want everyone / anyone on the Intenet to be able to get to your
servers, that is the obvious (and correct) ACL to use.


Regards,


Antony.

--
Bill Gates has personally assured the Spanish Academy that he will never allow
the upside-down question mark to disappear from Microsoft word-processing
programs, which must be reassuring for millions of Spanish-speaking people,
though just a piddling afterthought as far as he's concerned.

 - Lynne Truss, "Eats, Shoots and Leaves"

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

Amos Jeffries
Administrator
On 11/08/18 09:43, Antony Stone wrote:
> On Friday 10 August 2018 at 20:13:06, erdosain9 wrote:
>
>> Thanks to all!!
>> Now is working fine.
>>
>> Just, one question to know... i make this accessible from the internet...
>> so, i create some acl 0.0.0.0/0 and it's working.

That is almost but deceptively not quite the same as "allow all".

>> But.. this is a security issue??? or it's ok declare that ACL.
>
> If you want everyone / anyone on the Intenet to be able to get to your
> servers, that is the obvious (and correct) ACL to use.

No, sorry. It is not.

The correct config is to use:

 http_access allow foo

Where "foo" is the same ACLs you use on cache_peer_access to determine
which traffic goes to the peers.

That way Squid is able to block random other domains that virus scans
etc try to use to detect open proxies.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

Antony Stone
On Saturday 11 August 2018 at 15:26:40, Amos Jeffries wrote:

> On 11/08/18 09:43, Antony Stone wrote:
> > On Friday 10 August 2018 at 20:13:06, erdosain9 wrote:
> >> Thanks to all!!
> >> Now is working fine.
> >>
> >> Just, one question to know... i make this accessible from the
> >> internet... so, i create some acl 0.0.0.0/0 and it's working.
>
> That is almost but deceptively not quite the same as "allow all".

Nice description :)

> >> But.. this is a security issue??? or it's ok declare that ACL.
> >
> > If you want everyone / anyone on the Intenet to be able to get to your
> > servers, that is the obvious (and correct) ACL to use.
>
> No, sorry. It is not.
>
> The correct config is to use:
>
>  http_access allow foo
>
> Where "foo" is the same ACLs you use on cache_peer_access to determine
> which traffic goes to the peers.
>
> That way Squid is able to block random other domains that virus scans
> etc try to use to detect open proxies.

Hm, I had thought that since this Squid was only configured to be a reverse
proxy for the two servers under discussion, allowing access from anywhere
would still only offer those two destinations?

It wouldn't offer forward-proxy services with that configuration, surely?


Antony.

--
Wanted: telepath.   You know where to apply.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as reverse proxy for two or more webs

Amos Jeffries
Administrator
On 12/08/18 01:35, Antony Stone wrote:

> On Saturday 11 August 2018 at 15:26:40, Amos Jeffries wrote:
>
>> On 11/08/18 09:43, Antony Stone wrote:
>>> On Friday 10 August 2018 at 20:13:06, erdosain9 wrote:
>>>> Thanks to all!!
>>>> Now is working fine.
>>>>
>>>> Just, one question to know... i make this accessible from the
>>>> internet... so, i create some acl 0.0.0.0/0 and it's working.
>>
>> That is almost but deceptively not quite the same as "allow all".
>
> Nice description :)
>
>>>> But.. this is a security issue??? or it's ok declare that ACL.
>>>
>>> If you want everyone / anyone on the Intenet to be able to get to your
>>> servers, that is the obvious (and correct) ACL to use.
>>
>> No, sorry. It is not.
>>
>> The correct config is to use:
>>
>>  http_access allow foo
>>
>> Where "foo" is the same ACLs you use on cache_peer_access to determine
>> which traffic goes to the peers.
>>
>> That way Squid is able to block random other domains that virus scans
>> etc try to use to detect open proxies.
>
> Hm, I had thought that since this Squid was only configured to be a reverse
> proxy for the two servers under discussion, allowing access from anywhere
> would still only offer those two destinations?
>
> It wouldn't offer forward-proxy services with that configuration, surely?

That is an implicit default, yes. But can be altered by several common
setups. We don't know what erdosain9's full config is (or will become),
so do not know if one of those cases is happening (or will happen later).

It is generally better to go with this explicit allow/deny than relying
on the implicit behaviour. One can always move to the implicit later if
its needed for performance - but backtracking may surprise users if they
were relying on the broken bits being broken.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users