I'm having the following setup:
- two WAN-Lines, each with a static public IP, both connected to a separate router, providing two internal networks (net1 and net2)
- one Ubuntu 14.04 LTS server with squid 3.3.8 installed (compiled with –enable-ssl), having two interfaces, located in each net, having net1 as default gateway
- squid is reverse proxying for some servers being located in either net1 or net2
- two subdomains with A-records on each WAN-IP
- port-forwardings for ports 80 and 443 on both routers pointing to the respective ip of the squid server
For better understanding :
sub1.domain.tld-->WAN1--ROUTER1--net1--SERVER1
|
SQUID
|
sub2.domain.tld-->WAN2--ROUTER2--net2--SERVER2
My problem:
- accessing sub1.domain.tld from the internet works as expected, also showing up in the access.log
- accessing sub2.domain.tld from the internet results in a timeout, nothing showing up in the logs
- forcing sub2.domain.tld to ip of wan1 via hosts-file of client everything works as expected, also showing up in the access.log
- also with switching gateway from eth0 to eth0 (with respective gateway ip) everything works as expected, also showing up in the access.log
It seems like packets returned from squid are always taking the default route.
How to solve this and make both WAN routes working?
I tried using tcp_outgoing_address but with no success:
tcp_outgoing_address 192.168.1.123 localnet1
tcp_outgoing_address 192.168.2.123 localnet2
Also explicitly binding to specific ips did not help:
http_port 192.168.1.123:80 accel defaultsite=sub1.domain.tld
https_port 192.168.1.123:443 accel cert=/etc/ssl/certs/domain.tld.crt key=/etc/ssl/private/domain.tld.key defaultsite=sub1.domain.tld
http_port 192.168.2.123:80 accel defaultsite=sub2.domain.tld
https_port 192.168.2.123:443 accel cert=/etc/ssl/certs/domain.tld.crt key=/etc/ssl/private/domain.tld.key defaultsite=sub2.domain.tld
Thanks for any help!
Here is the corresponding config:
/etc/network/interfaces of squid server:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.123
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1
auto eth1
iface eth1 inet static
address 192.168.2.123
netmask 255.255.255.0
dns-nameservers 192.168.2.1
/etc/squid3/squid.conf
# define some ACL aliases
acl localnet1 src 192.168.1.0/24
acl localnet2 src 192.168.2.0/24
acl allsrc src all
acl safeports port 80 443
acl sslports port 443
acl purge method PURGE
acl connect method CONNECT
acl HTTP proto HTTP
acl HTTPS proto HTTPS
# restrict management options
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
# block non-safe ports
http_access deny !safeports
http_access deny CONNECT !sslports
# define ports and certs
http_port 80 accel defaultsite=sub1.domain.tld
https_port 443 accel cert=/etc/ssl/certs/domain.tld.crt key=/etc/ssl/private/domain.tld.key defaultsite=sub1.domain.tld
# define peers
cache_peer 192.168.1.234 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=server1
cache_peer 192.168.2.234 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=server2
# define uris
acl server1_acl url_regex -i ^https://sub1.domain.tld/*$
acl server2_acl url_regex -i ^https://sub2.domain.tld/*$
# bind peers to acls and block direct access
never_direct allow server1_acl
http_access allow server1_acl
cache_peer_access server1 allow server1_acl
never_direct allow server2_acl
http_access allow server2_acl
cache_peer_access server2 allow server2_acl
# handle unhandled connections
deny_info TCP_RESET allsrc
http_access allow localnet1
http_access allow localnet2
http_access deny allsrc
Best Answer
Ok, found the problem: routing issue...
Like I thought all outgoing packets are being send over eth0. This can be fixed by setting additional routes:
Add new routing table:
Configure new route:
To make this persistent include in /etc/network/interfaces for eth1
Credits to: