Seems that while the correct IP address is appearing in the Apache log the originating IP may be that of the proxy so that’s why it might not be blocked.

You could block that IP address on the reverse proxy though.

this is working great however one thing i used is the .htaccess and in there

deny from x.x.x.x

Now looking at the Squid access.log i see the original IP number and in the Apache2 access.log I see the same original IP number. This would mean :

in both access logs I see x.x.x.x and in .htaccess I deny x.x.x.x however this isn’t giving a 403 access denied page anymore.

When I go around the Squid server the 403 page is shown correctly based on the x.x.x.x deny

Any ideas why the .htaccess isn’t acting on the deny anymore?

Thanks
Rob

There’s an explanation added http://www.ipfraudreporter.com/217-26-112-1-ip-address#comment-635

Best regards!

Unfortunately the backend server will always need to be alive. The cache will not act as a failover.

The reason it needs to be alive is that the cache makes a quick check to see if the data on the backend server is more recent than the one in cache. If it is then the cache will pull from the backend server.

Note that it doesn’t pull the actual content from the backend server unless it is needed it usually checks the http headers I think.

If I wget the index on the webserver
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: public, max-age=5,stale-while-revalidate=600,
stale-if-error=36000
Set-Cookie: ASP.NET_SessionId=fdlkjayuf98dsfgnkjdsl7; path=/; HttpOnly
Cache-Control: private

I have tried this via the suggestion here,
http://support.microsoft.com/kb/247404 which edits the IIS metabase to
add the CacheControlCustom entry, but this doesn’t seem to change the
headers. So I added a custom header to the site which is what gives
the dual cache-control entries in the header.
Any ideas?

Colin,

I have no idea why there is a need for two ACLs. It doesn’t work with just one.

Thanks for spotting the typo!

Hi Roy, Squid’s original purpose is to do just that. For accelerating http on a LAN it’s perfect.

I am curious though, why is there a need to define the domains in two different ACLs? I would have thought you could just use the same one (ie: you have acl sites_apache and also acl our_sites which appear to be the same).

Oh, I’ve got another typo for you: There is a space missing between the referrer and User-Agent quotes, ie: should be:
LogFormat “%{X-Forwarded-For}i %v %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” cached

INSTEAD OF:

LogFormat “%{X-Forwarded-For}i %v %u %t \”%r\” %>s %b \”%{Referer}i\”\”%{User-Agent}i\”” cached

Thanks again for an awesome post!

Colin

Hi Miguel, I will take a look and contact you shortly.