[squid-users] Squid as reverse proxy for two or more webs

Antony Stone Antony.Stone at squid.open.source.it
Fri Aug 10 14:36:28 UTC 2018

On Friday 10 August 2018 at 16:26:31, erdosain9 wrote:

> > php.mydomain.lan
> > ticket.mydomain.lan
> >
> >.. and clients never connect to the above directly. So these domains are
> >never to be accessed by users/clients.
> The client can connect directly from the domain. (i mean they can connect
> directly in work, but i want to do this (proxy reverse, for when they are
> at home...) I dont public yet nothing of this, im trying to do it first
> inside my network.

Ah, it might have been helpful for you to mention that in the first place.

> >If (as I suspect) the above statements are not true, then your naming is
> >the first thing that is wrong.
> Why?

Because the name the clients connect to myst resolve to the IP address of 
Squid, for it work as a reverse proxy.

> >The domain name(s) which your clients access should point to the proxy.
> >There can be multiple.
> I dont get this.

If name.domain.lan points to, then a client browser requesting 
http://name.domain.lan will start talking to machine

If you want that to be the real server, that's fine.

If you want that machine to be squid acting as a reverse proxy, that's fine 

The point is that the IP address must point to the machine you want the client 
to connect to.

> >Right now your ticket_acl and php_acl are exactly the same. So they are
> >telling Squid that both peers are providing identical content (ie both
> >are authoritative for anything inside *.mydomain.lan). The first of the
> >available peers will be used, unless it starts to overload then the
> >second will start receiving the traffic.
> >
> >
> >To send traffic to one of the peers and not the other you need some way
> >to distinguish between them.
> >
> >Normally you would have the ticket.* and php.* domain names both
> >pointing at Squid ( so your ACLs can check for and use the
> >domain name to identify which peer is supposed to receive it.
> I create two entries pointing to squid in DNS now.
> site1.mydomain.lan
> site2.mydomain.lan

So, both of those resolve to, right?

> > The config example you want to follow is
> > https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers

> I read that... but i dont get what im doing wrong.

You want to follow the section:

Switching on Domains

Using cache_peer_access: 

cache_peer ip.of.server1 parent 80 0 no-query originserver name=server_1
acl sites_server_1 dstdomain www.example.com example.com
cache_peer_access server_1 allow sites_server_1

> this is the config now.
> http_port accel vhost
> cache_peer parent 80 0 proxy-only name=site1
> cache_peer parent 80 0 proxy-only name=site2

You are missing "originserver" at the very least.  Otherwise Squid expects to 
find another proxy at the IP address.

> acl soporte_acl dstdomain ticket.MYDOMAIN.lan
> http_access allow soporte_acl
> cache_peer_access site1 allow soporte_acl
> acl phplists_acl dstdomain php.MYDOMAIN.lan
> http_access allow phplists_acl
> cache_peer_access site2 allow phplists_acl
> ------------------------------------------------------------
> But, i get this error
> " Unable to forward this request at this time."

...when you requested what as a URL?

> 1533911112.071      1 TCP_MISS/500 4605 GET
> http://site1.MYDOMAIN.lan/ - HIER_NONE/- text/html

Looks like you entered "site1.mydomain.lan" into your browser.

Try "ticket.mydomain.lan" (after correcting the above config problems) instead.

> 1533911112.193      0 TCP_MEM_HIT_ABORTED/200 4274 GET
> http://reverse.MYDOMAIN.lan/squid-internal-static/icons/SN.png -
> HIER_NONE/- image/png
> 1533911124.117      0 TCP_MISS/500 4605 GET
> http://site2.MYDOMAIN.lan/ - HIER_NONE/- text/html
> 1533911124.217      0 TCP_MEM_HIT_ABORTED/200 4274 GET
> http://reverse.MYDOMAIN.lan/squid-internal-static/icons/SN.png -
> HIER_NONE/- image/png


Salad is what food eats.

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list