Mario Remy Almeida wrote:
> Hi All,
>
> Recently I configure Squid as reverse proxy for back-end apache server
> running Drupal.
>
> acl airarabia_web dstdomain www.airarabia.com
> cache_peer 10.4.171.6 parent 80 0 no-query originserver
> name=airarabia_peer2 round-robin forceddomain=www.airarabia.com default
> # cache_peer 10.4.171.7 parent 80 0 no-query originserver
> name=airarabia_peer1 round-robin forceddomain=www.airarabia.com default
> # not yet implemented
> cache_peer_access airarabia_peer2 allow airarabia_web
> cache_peer_access airarabia_peer2 deny all
>
> Problem 1:-
> With Apache I had connection Limit of 20 per IP (mod_limitipconn.so)
>
> I need to achieve this with squid reverse proxy.
> please let me know if below configurations is correct.
You should not really need this with Squid. FD in Squid are very
lightweight and do not block whole threads like they do in Apache.
>
> ===========================
> acl connectionLimit maxconn 20
Missing:
http_access deny connectionLimit
> acl airarabia_web dstdomain www.airarabia.com
> cache_peer 10.4.171.6 parent 80 0 no-query originserver
> name=airarabia_peer2 round-robin forceddomain=www.airarabia.com default
> cache_peer_access airarabia_peer2 allow airarabia_web connectionLimit
The above will cause denial if LESS than 20 connections are made.
Seems strange until you consider that connectionLimit is only true when
>20 connections are present from a single IP. Which will cause the
following line to happen:
> cache_peer_access airarabia_peer2 deny all
> ===========================
>
> Problem 2:-
> After configuring reverse proxy, The apache back-end server gets the IP
> of the reverse proxy and not of the actual clients.
Your problem description describes the config:
forwarded_for on
>
> squid.conf
> ===========================
> follow_x_forwarded_for allow airarabia_web
> follow_x_forwarded_for deny all
> acl_uses_indirect_client on
> delay_pool_uses_indirect_client on
> log_uses_indirect_client on
> ===========================
>
> I will work on HOW TO for mod_extract_forwarded, but mean time if
> someone can verify if the above squid.conf for problem 2 is correct?
It does not match your problem description. It configures Squid to log
and run ACL tests based on the remote client IP outside your trusted edge.
Useful only for hierarchies and clusters of proxies who need to ignore
the internal relay chain in their security tests.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1Received on Mon Apr 12 2010 - 12:25:37 MDT
This archive was generated by hypermail 2.2.0 : Mon Apr 12 2010 - 12:00:04 MDT