[squid-users] How to combine two proxies into one?

Peng Yu pengyu.ut at gmail.com
Sat Feb 17 01:37:02 UTC 2018 

On Thu, Feb 15, 2018 at 3:31 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 15/02/18 17:00, Peng Yu wrote:
>> Hi,
>>
>> Here are the conf files for two proxies. The first is a reverse proxy
>> (proxied on server1 and server2) and the second is a forward proxy. Is
>> there a way to combine the two into one (supporting both 3129 and
>> 3128)? Thanks.
>
> One Squid can accept traffic in multiple modes, just by adding the
> appropriate *_port lines for each type/mode of traffic.
>
> However, if you are talking about the same setup as your last threads
> described the first proxy is *not* doing proper / normal reverse-proxy.
> From what I understand in those setups you are relying on the traffic
> being warped into forward-proxy syntax by the frontend and leaving the
> domain routing to the backend - which lacks the appropriate security
> checks to handle reverse-proxy needs.
>
>
> In regards to your posted config files. Skipping the lines which are not
> actual default configuration you are left with these:
>
>>
>> $ grep -v '^#' squid.conf|grep -v '^$'
>> http_port 3129
>
> This is not a reverse-proxy. That is declared by the "accel" mode flag
> being set - which is not present here.
>
>
>> cache_peer server1 parent 3128 0 round-robin no-query
>> cache_peer server2 parent 3128 0 round-robin no-query
>> coredump_dir /usr/local/var/cache/squid
>>
>
>> $ grep -v '^#' squid.conf|grep -v '^$'
>> http_port 3128
>
> This is also not a reverse-proxy.
>
>> coredump_dir /var/spool/squid3
>> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
>
> To combine the above two configurations take the second one and add this
> line:
>   http_port 3129
>
>
> BUT, since neither of them was actually a reverse-proxy the answer of
> how to merge a reverse-proxy and a forward-proxy would be quite different.

I finally figure a configure that works. localhost:3128 is forward to
both server1:3128 and server2:3128. localhost:3129 directly goes to
the external network. Let me know if there is anything wrong with it.

Also, this only works for http. For https, localhost:3128 still
directly goes to the external network. Do you know how to modify the
following configuration to configure for https?

acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3129
acl port_3128_acl myportname 3128
cache_peer server1 parent 3128 0 round-robin no-query name=proxy3128
cache_peer_access proxy3128 allow port_3128_acl
cache_peer server2 parent 3128 0 round-robin no-query name=proxy1_3128
cache_peer_access proxy1_3128 allow port_3128_acl
cache_peer_access proxy3128 deny all
forwarded_for    delete
coredump_dir /usr/local/var/cache/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320


-- 
Regards,
Peng

More information about the squid-users mailing list