Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 398
  • Last Modified:

squid reverse proxy and .asp

I am building a squid reverse proxy to hide a webserver behind. I have it basically working ok but when trying to do a search on our phonebook you get the error - The requested URL could not be retrieved
While trying to retrieve the URL: http://172.21.102.1/Phone/results/summary.asp 

The following error was encountered:

Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Generated Thu, 06 Mar 2003 12:03:58 GMT by proxy.mycompany.com (Squid/2.4.STABLE7)

I am using Trustix 1.5. and below is a copy of squid.conf. I would also appreciate any other views about the proxy config as this will be internet facing..
http_port 80
visible_hostname proxy.mycompany.com
icp_port 0
cache_mem 20 MB
emulate_httpd_log on
cache_access_log /dev/null
cache_store_log /dev/null
cache_dir ufs /var/spool/squid  1000 16 256
redirect_rewrites_host_header off
acl all src 0.0.0.0/0.0.0.0
acl QUERY urlpath_regex cgi-bin \? asp
no_cache deny QUERY
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 172.21.0.0/255.255.0.0
http_access allow manager localhost
http_access deny manager
acl safeports port 80
acl safemethods method GET
http_access deny !safeports
http_access deny !safemethods
http_access allow all
cache_effective_user squid
cache_effective_group squid
httpd_accel_host 172.21.1.7
httpd_accel_port 80
httpd_accel_single_host on
httpd_accel_with_proxy off
httpd_accel_uses_host_header on
log_icp_queries off
maximum_object_size 32768 KB
maximum_object_size_in_memory 4096 KB
forwarded_for on

many thanks



0
eishv
Asked:
eishv
1 Solution
 
heskyttbergCommented:
Hi!

Why using the squid proxy and not iptables firewall rules to do this instead ?

iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.40.20:80

Regards
/Hans - Erik Skyttberg
0
 
eishvAuthor Commented:
I want it to be able to cache the webserver to take some load of off it. the webserver needs to be able to access a database on our intranet server and the plan put forward by one of our suppliers was to have the webserver on our DMZ and map a drive to the intranet server on our LAN which is obviously madness. I proposed we use a reverse proxy sitting in our DMZ forwarding HTTP to the webserver sitting on the LAN so we don't need to allow SMB across the firewall.
0
 
heskyttbergCommented:
Hi!

If you use pages that will fetch data directly from database I STRONGLY recommend against using any kind of caching in front of the webserver.

Since when the page is cached the cached page will be returned.

Let give you an example you request a page the shows current online users:
users.asp?users=online

This page returns 10;

Now 5 more logs in they will still see 10 not 15, since they get the page that squid has cached.

If you do as I suggest you will still only allow http protocol on port 80 to the webserver.
This you can setup in your fierwall, I agree allowing smb through firewall is not good.

Regards
/Hans - Erik Skyttberg
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
eishvAuthor Commented:
Thanks Hans, i am aware of problems with caching asp and am hoping to either fine tune the cache or disable caching of asp. I don't see any reason not to cache jpg's ect.. though.

0
 
eishvAuthor Commented:
I have found the solution. the search is using an http PUT which is not enabled in the squid.conf.

0
 
CleanupPingCommented:
eishv:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
moduloCommented:
PAQed with points refunded (75)

modulo
Community Support Moderator
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now