[squid-users] Reverse proxy is not responding

Amos Jeffries squid3 at treenet.co.nz
Sun Mar 18 18:57:18 UTC 2018 

On 19/03/18 03:22, Kiru Pananthan wrote:
> Hi Amos
> 
> Thanks for your reply,
> 
> I have restarted the squid service using the command #
> /etc/init.d/squid3 restart and also reboot the Linux server too. but
> still, the problem exists.
> *
> *
> I have removed the empty and # command line in the document for your
> review. can you please check now and provide me with some guidance 
> 

Thanks. That one is easier to read.


The domains dvr1.* dvr2.* and dashboard.* are accepted into the proxy
(by the our_sites ACL) but have nowhere to go - no cache_peer with an
allow for them. I guess those are the domains which you are seeing
failures for?


Some further cleanups you can do:

It is now clear that "cache_peer access server_6 deny all" is referring
to a non-existent cache_peer. Not an issue, but you can remove that line
to simplify things further.


The https_port line is missing accel mode flag.
 - Also, 'vhost' option is deprecated in current Squid Virtual hosting
is on by default now.

Also, since these are reverse-proxy the *_port lines should really be
listening on the same ports the peers are using (eg port 80, 443 and
8443) to avoid weird issues with Host header relayed to peers with
unexpected port 3128 or 8443 values (as sent by the clients).
 I also notice that traffic arriving in the HTTPS port has a default
domain of bookings.* assigned but the only peer which is expecting
traffic on/from port 8443 is the one for library.* domain. It may be
worthwhile removing the defaultsite= option entirely.



You still have the muddled peer lines making that config hard to read.
By that I mean your "acl sites_server_*" definitions are grouped amidst
cache_peer* lines for a peer which that ACL has nothing to do with.
Re-ordering those would be useful for future maintenance.

Also, the issue with server_5 and server_7 being identical is still
there. It is even more clear now that they are truly duplicates in all
respects, from cache_peer line to the server_sites_* ACLs. One of them
should be removed.


Your custom http_access line should be placed at the spot which
currently says "http_access allow localhost".


In fact, what I recommend is to move the "http_access deny all" line
down below the cache_peer config block. Then you can use the
sites_server_N ACLs to do an "http_access allow sites_server_*" instead
of duplicating domain names in that our_sites ACL.
 This way you can be sure only the traffic which has a cache_peer to go
to is allowed into the proxy at all and the reverse: all traffic which
has a peer to go to is allowed. That may be helpful to avoid this
situation repeating in future.

Amos

More information about the squid-users mailing list