[squid-users] Squid as reverse proxy for two or more webs

Amos Jeffries squid3 at treenet.co.nz
Fri Aug 10 13:52:22 UTC 2018

On 11/08/18 01:15, erdosain9 wrote:
> Hi to all.
> I was reading several tutorials and I can not find what I'm doing wrong.
> I want to use squid to redirect to these two sites that are both within my
> domain.
> In my internal dns I have declared both servers, with their corresponding
> ips, also squid.
> reverse.mydomain.lan (SQUID)

So "reverse.mydomain.lan" is the public name which your users/clients
are browsing ...

> php.mydomain.lan
> ticket.mydomain.lan

.. and clients never connect to the above directly. So these domains are
never to be accessed by users/clients.

If (as I suspect) the above statements are not true, then your naming is
the first thing that is wrong.

The domain name(s) which your clients access should point to the proxy.
There can be multiple.

> In addition to the internal DNS, I have the / etc / hosts configured with
> these values:
> [root at squidReverse ~]# cat /etc/hosts
>   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> #::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6
>  reverse.mydomain.lan
> ticket.mydomain.lan 
> php.mydomain.lan

These entries are not required when internal DNS is properly configured.

(FYI: Current Squid versions can also use multicast-DNS for LAN servers
if you use the standardized .local TLD for internal server names. That
is not related to your problem though.)

> This is the configuration of the squid referring to the reverse proxy:
> http_port accel vhost
> cache_peer parent 80 0 proxy-only name=ticket
> cache_peer parent 80 0 proxy-only name=php
> acl ticket_acl dstdomain .MYDOMAIN.lan
> http_access allow ticket_acl
> cache_peer_access ticket allow ticket_acl
> acl php_acl dstdomain .MYDOMAIN.lan
> http_access allow php_acl
> cache_peer_access php allow php_acl
> With this config when i go to reverse.mydomain.lan (from a web browser) i
> get the ticket web, but how i can go to the second web?? php web??

Right now your ticket_acl and php_acl are exactly the same. So they are
telling Squid that both peers are providing identical content (ie both
are authoritative for anything inside *.mydomain.lan). The first of the
available peers will be used, unless it starts to overload then the
second will start receiving the traffic.

To send traffic to one of the peers and not the other you need some way
to distinguish between them.

Normally you would have the ticket.* and php.* domain names both
pointing at Squid ( so your ACLs can check for and use the
domain name to identify which peer is supposed to receive it.

The cache_peer use raw-IP like you have, or a *different* server name
from DNS pointing at the particular peer which can serve the content
your ACLs let Squid send to it.

The config example you want to follow is


More information about the squid-users mailing list