[squid-users] Squid as reverse proxy for two or more webs

Amos Jeffries squid3 at treenet.co.nz
Fri Aug 10 15:25:10 UTC 2018 

On 11/08/18 02:56, erdosain9 wrote:
> Antony Stone wrote
>>> I create two entries pointing to squid in DNS now.
>>> site1.mydomain.lan
>>> site2.mydomain.lan
>>
>> So, both of those resolve to 192.168.1.21, right?
>>
>> Yes, the resolve to the ip of squid.
>>
>>>> The config example you want to follow is
>>>> https://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers
>>
>>>
>>> I read that... but i dont get what im doing wrong.
>>
>> You want to follow the section:
>>
>> Switching on Domains
>>
>> Using cache_peer_access: 
>>
>> cache_peer ip.of.server1 parent 80 0 no-query originserver name=server_1
>> acl sites_server_1 dstdomain www.example.com example.com
>> cache_peer_access server_1 allow sites_server_1
>>
>>> this is the config now.
>>>
>>> http_port 192.168.1.21:80 accel vhost
>>>
>>> cache_peer 192.168.1.246 parent 80 0 proxy-only name=site1
>>> cache_peer 192.168.1.223 parent 80 0 proxy-only name=site2
>>
>> You are missing "originserver" at the very least.  Otherwise Squid expects
>> to 
>> find another proxy at the IP address.
>>
>> Oh, sorry. I try with that config too. anyway i dont know about that.
>> thanks.
>>

You are also missing the ACL parts which determine which domain goes to
which cache_peer server.


>> ...when you requested what as a URL?
>> site1.mydomain.lan
>>
>>> 1533911112.071      1 192.168.6.20 TCP_MISS/500 4605 GET
>>> http://site1.MYDOMAIN.lan/ - HIER_NONE/- text/html
>>
>> Looks like you entered "site1.mydomain.lan" into your browser.
>>
>> Yep.
>>
>> Try "ticket.mydomain.lan" (after correcting the above config problems)
>> instead.
>>
> Well, if if put ticket.mydomain.lan i go directly to the server i want to
> go.
>

This is why the domain name you want the clients to contact to be
pointing at Squid, not the origin servers.

Squid passes on the domain name it received from the client. Examples
below using your current config ...


> This is:
>
> ticket.mydomian.lan ----------------------------> Server  1
> php.mydomian.lan ------------------------------> Server 2
>
> site1.mydomain.lan --------------------------------> squid
> site2.mydomian.lan --------------------------------> squid
>
> for my config i expect that when squid receive site1 go to
> ticket.mydomain.lan
> and for site2 go to php.mydomain.lan
>

Then site1.* and site2.* are the domains which those origin servers need
to be hosting - not ticket.* or php.*.

The request flow looks like this:

* client requests http://site1.mydomain.lan/ which goes to Squid because
A for that domain is Squid IP.

* Squid sends request for http://site1.mydomain.lan/ to server
ticket.mydomain.lan because cache_peer_access said it was allowed there.

* Server ticket.mydomain.lan receives request for
http://site1.mydomain.lan/ from Squid.


At no point does any URL or HTTP message contain "ticket.mydomain.lan".
I think this is where you are getting confused - thinking that the
origin server names mean something when they do not.

You do *not* need a domain DNS entries to point at the origin for that
origin to provide responses for it.


This is also why you need to test the setup which will actually be used
when the proxy is made to be "in production". Testing with fake domain
setup only ensures the fake domains work, the reals ones may be fatally
broken.

Amos

More information about the squid-users mailing list