Squid reverse proxy switching peers



  • I want Squid to direct incoming requests to a specific peer based on URI, but what I'm getting instead is it's sending the requests to each peer in a round-robin fashion.  So, once in a while, I get the content, or sometimes I get a 404 when it's hitting the wrong peer.  I only have one peer selected per mapping.  What am I doing wrong?



  • I think that I need to get squid to use 'urlpath_regex' instead of 'url_regex' but I am uncertain how to do that w/ pfSense.



  • Seriously, no one can help with this?  I can't be the only person who wants to route traffic in this way.



  • I'm having the exact same issue. Were you ever able to resolve this? I'm beginning to think it's a bug, but why can't I find anyone else with this same problem? Currently using squid package 0.4.43_1 on pfsense 2.3.5_2. Only one peer is selected in each mapping, but it's as if squid ignores that selection, and rotates through all servers enabled on the webservers tab. WTH?



  • So, after fiddling with the /usr/local/etc/squid.conf file that the pfsense squid package generates, I have a working solution that might have to be re-implemented if and when I update the squid package. The trick is to add cache_peer_access directives that specifically deny the peers from the other mappings. For some reason, the "deny allsrc" that is automatically generated is not cutting it.

    Here is what the squid.conf file (in part) looks like now. Red lines were added manually.

    ...
    # Reverse Proxy settings
    http_port 123.45.67.89:80 accel defaultsite=mydomain.com vhost
    #
    cache_peer 192.168.0.101 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_server1
    #
    cache_peer 192.168.0.102 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_server2
    #
    cache_peer 192.168.0.103 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_server3
    #
    acl rvm_subdomain1 url_regex -i ^https?:\/\/subdomain1\.mydomain\.com.*$
    acl rvm_subdomain2 url_regex -i ^https?:\/\/subdomain2\.mydomain\.com.*$
    acl rvm_subdomain3 url_regex -i ^https?:\/\/subdomain3\.mydomain\.com.*$
    cache_peer_access rvp_server1 allow rvm_subdomain1
    cache_peer_access rvp_server1 deny !rvm_subdomain1
    cache_peer_access rvp_server1 deny allsrc
    cache_peer_access rvp_server2 allow rvm_subdomain2
    cache_peer_access rvp_server2 deny !rvm_subdomain2
    cache_peer_access rvp_server2 deny allsrc
    cache_peer_access rvp_server3 allow rvm_subdomain3
    cache_peer_access rvp_server3 deny !rvm_subdomain3
    cache_peer_access rvp_server3 deny allsrc
    never_direct allow rvm_subdomain1
    never_direct allow rvm_subdomain2
    never_direct allow rvm_subdomain3
    http_access allow rvm_subdomain1
    http_access allow rvm_subdomain2
    http_access allow rvm_subdomain3
    
    deny_info TCP_RESET allsrc
    ...
    

    Obviously, in order to make these changes stick, I had to also modify the /usr/local/pkg/squid_reverse.inc php file that does the generating. To do so, I added the second line here between the other two. This is near line 275:

    ...
    $cache_peer_allow_conf .= "cache_peer_access rvp_{$map_peer} allow rvm_{$rm['name']}\n";
    $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny !rvm_{$rm['name'}\n";
    $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny allsrc\n";
    ...
    

    This will break if the squid package is ever updated, but at least I can use the pfsense gui to manage the reverse proxy now. And best of all, my webservers only respond to their own URLs now.


  • Global Moderator

    @DefectiveRobot these changes are merged to the latest version of squid pkg: https://redmine.pfsense.org/issues/10450

    can you test it?


Log in to reply