Almost a year ago I talked about my webserver setup, which included apache, squid and zope. I got a question about that setup today, so instead of only replying by email I've added the (probably not optimal) setup below :-)
> Are you using Squid3??
I'm using 2.5.9, debian sarge.
> Do you have a sample squid.conf you could share??
squid.conf is standard, apart from the following lines. Most are recommended default values:
#We recommend you to use the following two lines acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY ..... #Suggested default: refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 .... #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT .... #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports ..... # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks http_access allow localhost # And finally deny all other access to this proxy http_access deny all .... # and finally allow by default http_reply_access allow all .... #Allow ICP queries from everyone icp_access allow all .... Way at the end: redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf httpd_accel_host virtual httpd_accel_port 0
Now the squidguard one:
#
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /var/lib/squidguard/db
logdir /var/log/squid
#
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
time workhours {
weekly mtwhf 08:00 - 16:30
date *-*-01 08:00 - 16:30
}
#
# REWRITE RULES:
#
#rew dmz {
# s@://admin/@://admin.foo.bar.no/@i
# s@://foo.bar.no/@://www.foo.bar.no/@i
#}
#
# SOURCE ADDRESSES:
#
#src admin {
# ip 1.2.3.4 1.2.3.5
# user root foo bar
# within workhours
#}
#src foo-clients {
# ip 172.16.2.32-172.16.2.100 172.16.2.100
172.16.2.200
#}
#src bar-clients {
# ip 172.16.4.0/26
#}
#
# DESTINATION CLASSES:
#
dest good {
}
dest local {
}
#dest adult {
# domainlist adult/domains
# urllist adult/urls
# expressionlist adult/expressions
# redirect
http://admin.foo.bar.no/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
#}
#acl {
# admin {
# pass any
# }
# foo-clients within workhours {
# pass good !in-addr !adult any
# } else {
# pass any
# }
# bar-clients {
# pass local none
# }
# default {
# pass local none
# rewrite dmz
# redirect
http://admin.foo.bar.no/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
# }
#}
acl {
default {
redirect http://localhost:10080/%p
}
}
Probably most interesting, one of the apache2 config files:
ServerName objecttree.org
ServerAdmin reinout@vanrees.org
CustomLog /var/log/apache2/objecttree_org.log combined
DocumentRoot /var/www
Alias /awstats-icon/ /usr/share/awstats/icon/
Alias /icon/ /usr/share/apache/icon/
ScriptAlias /awstats/ "/usr/local/lib/awstats/wwwroot/cgi-bin/"
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
Alias /icons/ "/usr/share/apache2/icons/"
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
ServerSignature On
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
RewriteEngine on
RewriteRule ^/awstats* - [L]
RewriteRule ^/cgi-bin/.* - [L]
RewriteRule ^(.*)
http://localhost:3128/VirtualHostBase/http/objecttree.org:80/objecttree/VirtualHostRoot$1
[P]
It's that rewriterule at the end that does the trick. Everything gets rewritten to port 3128 (which means squid).
At the end of the squidguard was:
acl {
default {
redirect http://localhost:10080/%p
}
}
Which shoves everything over to a zope running on port 10080. Zope than takes care of everything behind the VirtualHostBase (in the usual way).
My name is Reinout van Rees and I work a lot with Python (programming language) and Django (website framework). I live in The Netherlands and I'm happily married to Annie van Rees-Kooiman.
Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):
I'm going to ditch my setup for CacheFu in a few weeks, though. Look at their squid config files for better examples. CacheFu also has apache+squid+zope samples.
Hi, I'd like to believe that I have the same squid set up as you except some minor details which I don't think are so relevant. My problem is that I'm getting TCP_DENIED/403 the whole time and I can't seem to change that.
I have the exact same squidGuard setup as you, eg: redirect http://localhost:9080/%p
The only difference is that I don't use mod_rewrite. I use ProxyPass. Do you think that could be the explaination why I'm getting these Access Denied errors?