Reverse Proxy with Squid: Difference between revisions

From RSWiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 177: Line 177:
  visible_hostname hostname.sample.com
  visible_hostname hostname.sample.com
   
   
[[Category:Technical| ]] [[Category:Web| ]] [[Category:Linux| ]]


--[[User:Robert|Robert]] 21:51, 18 August 2007 (IST)
--[[User:Robert|Robert]] 21:51, 18 August 2007 (IST)

Revision as of 20:54, 18 August 2007

Introduction

If like me your ISP provides you with a single static IP address you may think that you are limited to running one web server. Or at the very best using NAT to ports other than port 80 on other servers. There are many reasons why you would wish to use more than one webserver. For example you may wish to have Apache serving one site and Microsoft IIS 6.0 serving another or even JBoss, Tomcat or some other application server.

Background

For my scenario I wished to run Apache and PHP. Indeed it is this combination on which this very site is running. In addition to this I also wished to run another site on IIS 6.0. I have various domain names belonging to myself and friends that are hosted on my primary webserver. These use Apaches built in Virtual Hosts directive however one site that I was asked to host required Microsofts IIS. I explored the many options that were available and concluded that using Squid as a reverse proxy would be my best option.

Equipment

My scenario uses three individual servers.

The reverse proxy - running Ubuntu 6.06
The Apache Web server - runnin Ubuntu 6.06
The IIS server - running Windows Server 2003

Configuring the Proxy

I used a base install of Ubuntu 6.06 and manually compiled the most recent version of Squid which as of this time of writing is Squid 2.4-Stable14. The only configure flag that I used was --prefix=/usr

Once Squid was compiled and installed I now had the following directory structure:

/usr/etc/squid.conf - Squid configuration file.
/usr/var/logs - log file locations.
/usr/var/cache - location of the cache itself.
/usr/sbin/squid - location of the Squid executable.

Editing squid.conf

The supplied squid.conf is over 4000 lines long. Most of this is documentation added in the comments. For my purposes I created a new squid.conf from scratch.

By default Squid is configured to listen on TCP port 3128. As we wish to use Squid as a web server we need to tell it to listen on port 80 instead. So the first line of our new squid.conf is as follows:

http_port 80 accel defaultsite=www.sweetnam.eu vhost

The default site to be served is www.sweetnam.eu and we will use vhost directives to configure the other servers.

The next lines in the configuration are merely Squids default:

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

access_log /usr/var/logs/access.log
cache_log /usr/var/logs/cache.log
cache_store_log /usr/var/logs/store.log

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     

The next lines are where we begin to configure the two seperate servers.

First we add a directive to tell Squid the IP address of the first server:

cache_peer 172.20.1.10 parent 80 0 no-query originserver name=server_1

You can see from above that we have given a name of server_1. All sites that will be hosted on this server will be under this group.

Next we must tell Squid the domains that will be served under server_1:

acl sites_server_1 dstdomain www.sample.com sample.com
acl our_sites dstdomain www.sample.com sample.com
cache_peer_access server_1 allow sites_server_1

To add more domain names simply add them after the sample ones above.

Now we will configure the second server:

cache_peer 172.20.1.4 parent 80 0 no-query originserver name=server_2
acl sites_server_2 dstdomain www.sample2.com sample2.com
acl our_sites2 dstdomain www.sample2.com sample2.com
cache_peer_access server_2 allow sites_server_2

And we now tell squid to allow access to the two servers:

http_access allow our_sites
http_access allow our_sites

Next we must ensure that Squids acl rules are in place. For this I simply copied the defaults:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow all

The last entries in our squid.conf are specific to your server:

cache_mgr admin@sample.com
cache_effective_user www-data
cache_effective_group www-data
visible_hostname hostname.sample.com

You may now start Squid with the following command:

/usr/sbin/squid -sY -f /usr/etc/squid.conf

Notes

All the above assumes that you have DNS configured so that each domain name that you have is pointing to the IP address of the reverse proxy.

The reverse proxy must be facing the internet. Either directly or by port forwarding.

Complete squid.conf

Here is a complete squid.conf:

http_port 80 accel defaultsite=www.sweetnam.eu vhost
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

access_log /usr/var/logs/access.log
cache_log /usr/var/logs/cache.log
cache_store_log /usr/var/logs/store.log

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20% 

acl sites_server_1 dstdomain www.sample.com sample.com
acl our_sites dstdomain www.sample.com sample.com
cache_peer_access server_1 allow sites_server_1

cache_peer 172.20.1.4 parent 80 0 no-query originserver name=server_2
acl sites_server_2 dstdomain www.sample2.com sample2.com
acl our_sites2 dstdomain www.sample2.com sample2.com
cache_peer_access server_2 allow sites_server_2

http_access allow our_sites
http_access allow our_sites

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow all

cache_mgr admin@sample.com
cache_effective_user www-data
cache_effective_group www-data
visible_hostname hostname.sample.com

--Robert 21:51, 18 August 2007 (IST)