Zope and squidΒΆ

Tags: plone

Almost a year ago I talked about my webserver setup, which included apache, squid and zope. I got a question about that setup today, so instead of only replying by email I've added the (probably not optimal) setup below :-) > Are you using Squid3??

I'm using 2.5.9, debian sarge.

> Do you have a sample squid.conf you could share??

squid.conf is standard, apart from the following lines. Most are recommended default values:

  #We recommend you to use the following two lines
  acl QUERY urlpath_regex cgi-bin \?
  no_cache deny QUERY

  .....

  #Suggested default:
  refresh_pattern ^ftp:           1440    20%     10080
  refresh_pattern ^gopher:        1440    0%      1440
  refresh_pattern .               0       20%     4320

  ....

  #Recommended minimum configuration:
  acl all src 0.0.0.0/0.0.0.0
  acl manager proto cache_object
  acl localhost src 127.0.0.1/255.255.255.255
  acl to_localhost dst 127.0.0.0/8
  acl SSL_ports port 443 563      # https, snews
  acl SSL_ports port 873          # rsync
  acl Safe_ports port 80          # http
  acl Safe_ports port 21          # ftp
  acl Safe_ports port 443 563     # https, snews
  acl Safe_ports port 70          # gopher
  acl Safe_ports port 210         # wais
  acl Safe_ports port 1025-65535  # unregistered ports
  acl Safe_ports port 280         # http-mgmt
  acl Safe_ports port 488         # gss-http
  acl Safe_ports port 591         # filemaker
  acl Safe_ports port 777         # multiling http
  acl Safe_ports port 631         # cups
  acl Safe_ports port 873         # rsync
  acl Safe_ports port 901         # SWAT
  acl purge method PURGE
  acl CONNECT method CONNECT

  ....

  #Recommended minimum configuration:
  #
  # Only allow cachemgr access from localhost
  http_access allow manager localhost
  http_access deny manager
  # Only allow purge requests from localhost
  http_access allow purge localhost
  http_access deny purge
  # Deny requests to unknown ports
  http_access deny !Safe_ports
  # Deny CONNECT to other than SSL ports
  http_access deny CONNECT !SSL_ports

  .....

  # Example rule allowing access from your local networks. Adapt
  # to list your (internal) IP networks from where browsing should
  # be allowed
  #acl our_networks src 192.168.1.0/24 192.168.2.0/24
  #http_access allow our_networks
  http_access allow localhost

  # And finally deny all other access to this proxy
  http_access deny all

  ....

  # and finally allow by default
  http_reply_access allow all

  ....

  #Allow ICP queries from everyone
  icp_access allow all

  .... Way at the end:

  redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
  httpd_accel_host virtual
  httpd_accel_port 0

Now the squidguard one:

  #
  # CONFIG FILE FOR SQUIDGUARD
  #

  dbhome /var/lib/squidguard/db
  logdir /var/log/squid

  #
  # TIME RULES:
  # abbrev for weekdays:
  # s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

  time workhours {
          weekly mtwhf 08:00 - 16:30
          date *-*-01  08:00 - 16:30
  }

  #
  # REWRITE RULES:
  #

  #rew dmz {
  #       s@://admin/@://admin.foo.bar.no/@i
  #       s@://foo.bar.no/@://www.foo.bar.no/@i
  #}

  #
  # SOURCE ADDRESSES:
  #

  #src admin {
  #       ip              1.2.3.4 1.2.3.5
  #       user            root foo bar
  #       within          workhours
  #}

  #src foo-clients {
  #       ip              172.16.2.32-172.16.2.100 172.16.2.100
  172.16.2.200
  #}

  #src bar-clients {
  #       ip              172.16.4.0/26
  #}

  #
  # DESTINATION CLASSES:
  #

  dest good {
  }

  dest local {
  }

  #dest adult {
  #       domainlist      adult/domains
  #       urllist         adult/urls
  #       expressionlist  adult/expressions
  #       redirect
  http://admin.foo.bar.no/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
  #}

  #acl {
  #       admin {
  #               pass     any
  #       }

  #       foo-clients within workhours {
  #               pass     good !in-addr !adult any
  #       } else {
  #               pass any
  #       }

  #       bar-clients {
  #               pass    local none
  #       }

  #       default {
  #               pass     local none
  #               rewrite  dmz
  #               redirect
  http://admin.foo.bar.no/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
  #       }
  #}

  acl {
             default {
  redirect http://localhost:10080/%p
              }
         }

Probably most interesting, one of the apache2 config files:

    ServerName objecttree.org
    ServerAdmin reinout@vanrees.org
    CustomLog /var/log/apache2/objecttree_org.log combined
    DocumentRoot /var/www

    Alias /awstats-icon/ /usr/share/awstats/icon/
    Alias /icon/ /usr/share/apache/icon/
    ScriptAlias /awstats/ "/usr/local/lib/awstats/wwwroot/cgi-bin/"

                  Options Indexes FollowSymLinks MultiViews
                  AllowOverride None
                  Order allow,deny
                  allow from all

          Alias /icons/ "/usr/share/apache2/icons/"

              Options Indexes MultiViews
              AllowOverride None
              Order allow,deny
              Allow from all

          ServerSignature On
          ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

                  AllowOverride None
                  Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                  Order allow,deny
                  Allow from all

    RewriteEngine on
    RewriteRule ^/awstats* - [L]
    RewriteRule ^/cgi-bin/.* - [L]

    RewriteRule ^(.*)
  http://localhost:3128/VirtualHostBase/http/objecttree.org:80/objecttree/VirtualHostRoot$1
  [P]

It's that rewriterule at the end that does the trick. Everything gets rewritten to port 3128 (which means squid).

At the end of the squidguard was:

  acl {
             default {
  redirect http://localhost:10080/%p
              }
         }

Which shoves everything over to a zope running on port 10080. Zope than takes care of everything behind the VirtualHostBase (in the usual way).

(Old imported comments)
"modrewrite" by Reinout van Rees on 2006-06-14 15:46:34
mod_rewrite seems to be the most common, also in plain apache+zope setups. So I'd guess that's the explanation.

I'm going to ditch my setup for CacheFu in a few weeks, though. Look at their squid config files for better examples. CacheFu also has apache+squid+zope samples.
"Same but ProxyPass and problems" by Peter Bengtsson on 2006-06-14 15:21:14

Hi, I'd like to believe that I have the same squid set up as you except some minor details which I don't think are so relevant. My problem is that I'm getting TCP_DENIED/403 the whole time and I can't seem to change that.

I have the exact same squidGuard setup as you, eg: redirect http://localhost:9080/%p

The only difference is that I don't use mod_rewrite. I use ProxyPass. Do you think that could be the explaination why I'm getting these Access Denied errors?

blog comments powered by Disqus
 
vanrees.org logo

About me

My name is Reinout van Rees and I work a lot with Python (programming language) and Django (website framework). I live in The Netherlands and I'm happily married to Annie van Rees-Kooiman.

Weblog feeds

Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):