Problem with Squid + Apache Integration

Charles Daniel · 09-09-2004, 10:09 PM

I host my site from a LAN configured with the following:

Apache 2 w/ Tomcat Servlet Container
OpenSSL
PostgreSQL
SQUID_2.5_STABLE6

The installation is pretty standard with most aps under /usr/local:

Apache - /usr2/local/apache2 on kenshin.pctechnirvana.com (192.168.1.4)
Tomcat - /usr2/local/tomcat on kenshin.pctechnirvana.com
SSL Virtual Host on secure.pctechnirvana.com (192.168.1.5, aliased ip on kenshin)
SQUID - /usr/local/squid on server musashi.pctechnirvana.com ( 192.168.1.1)

The problem is that I can access the site on my intranet via http:.//kenshin.pctechnirvana.com but web clients are getting a Access Denied from SQUID when using www.pctechnirvana.com ( my internet domain name).

I suspect that the error is actually coming from either Apache or Tomcat, however. I've configured the SQUID proxy to accelerate my kenshin ( web server). Relevant lines from squid.conf are:

---- squid,conf ---

http_port 80

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

#
# We strongly recommend to uncomment the following to protect innocent
# web applications running on the proxy server who think that the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

acl accelHost dst 192.168.1.4/255.255.255.255
acl accelPort port 80
no_cache deny accelHost

http_access allow accelHost accelPort
http_access allow all
http_reply_access allow all

cache_effective_user squid
cache_effective_group squid

dns_nameservers 151.164.30.104 151.164.11.201

httpd_accel_host kenshin.pctechnirvana.com
httpd_accel_port 80
httpd_accel_single_host on
httpd_accel_with_proxy on
-------------------------------------------------------
Squid is started as root and then changes it's owner and group to squid squidadm as specified in the users manual.

For Apache I've set the DocumentRoot to the default /usr2/local/apache2/htdocs for testing purposes. I need to see what user Apache is running as. From a ps --User nobody report I ran, I suspect that Apache is running as the nobody user, and Tomcat is running as root. I'm not really a Linux sysadmin type so can anyone tell me how I can find out for certain.

If you can't find anything wrong with the SQUID acls then I suspect that Apache or Tomcat is having trouble serving contents to internet users because of file system access priviledges. This is why I need to find out what user they are running as. I believe that the httpd.conf directives are OK, but I can supply the http.conf on subsequent posts if there is nothing wrong with the acls above.

reetep · 09-10-2004, 05:09 AM

from what I can see, you're trying to listen on port 80 for squid, and you're binding to port 80 on apache.

Redirect your port 80 traffic as follows for squid:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

(where eth1 is your internal LAN interface) and change your http port to 3128 in your squid config. This is called transparent proxying. There are a few other options you need to set for transparent proxy. See the squid FAQ if you have problems, or if you want I can post my squid config. I also run apache alongside squid, so my config should be ok.

Charles Daniel · 09-10-2004, 09:02 AM

Is there a better source of information for setting this up than the squid-cache.org. It's appearent that their documentation isn't helping me much.

I'm a little confused, so I hope you will be patiant. The squid users manual states that I would be Ok to listen on port 80 if the proxy and the accelerated host are not on the same machine (which is my case). Both the proxy and the accelerated host should be able to listen on port 80 under this scenerio.

It could be that the documentation has misled my rookie eyes.

You also mentioned eth1. Do you mean that my proxy server needs to be a dual homed host? Currently, all of my servers have only 1 NIC. If a dual homed host is required, then will IP aliasing work or is a second NIC absolutely required? I know NICs are cheap, but I just had to ask.

Also is it possible do caching, accelerating and transparent proxying all at one time. Is this cofigurable?

reetep · 09-13-2004, 03:07 PM

sorry that this is a slow reply - have been away for the weekend.

You seem to have lots of questions:

documentation - I'm afraid there isn't much more documentation than is on the squid website (that I have come across at least). There is a transparent proxy howto which focuses on squid on the ldp pages, but other than that it's very sparse. There's one more url which I have bookmarked on another computer which I'll send you soon. Tomorrow maybe. I agree the squid docs are very frustrating - they assume you already know what you're doing and that you just need a quick reference. It takes several readings and lots of patience but don't write it off completely.

Having two NICs? - We need to be clear on what you want to achieve. My current understanding is that you want a 'server' machine to connect to the internet, which will run a proxy server (ie squid) to a LAN (ie local area network). If you connect using a modem, then you only need one NIC (for the lan). Likewise if you have a USB modem. If you have a cable modem, then you need two NICs (one for LAN, one for modem). I wrote eth1 because I assumed you had the latter setup.

Now you also want to run a webserver (apache). Do you want to run this on the same machine as your proxy? (My first post assumed this). If the answer is no, then you only need one NIC on the webserver machine. You need to configure that as any other client on the LAN, then configure apache afterwards.

So please let me know what hardware you have, what you want it to do, and which computers will be running what.

Thanks, reetep.

reetep · 09-13-2004, 03:16 PM

PS you asked:

"Also is it possible do caching, accelerating and transparent proxying all at one time. Is this cofigurable?"

Yes.

reetep · 09-13-2004, 03:17 PM

whoops. ignore that repeated post

reetep · 09-13-2004, 03:18 PM

whoops again! There was no repeated post. Sorry.

reetep · 09-14-2004, 02:04 PM

Here are some urls which I found useful:

http://squid.visolve.com/squid/sqguide.htm

http://www.linuxsolved.com/forums/ftopic116.html

and also for your future reference (although not squid related):

http://www.linuxsolved.com/forums/forum4.html

reetep · 09-22-2004, 05:49 AM

How'd you get on dude? If you have problems I can still help. I can send you my configs and help you out with NAT.