Reverse Proxy with Squid: Difference between revisions
No edit summary |
No edit summary |
||
Line 5: | Line 5: | ||
== Background == | == Background == | ||
For my scenario I wished to run Apache and PHP. Indeed it is this combination on which this very site is running. In addition to this I | For my scenario I wished to run Apache and PHP. Indeed it is this combination on which this very site is running. In addition to this I | ||
Once Squid was compiled and installed I now had the following directory structure: | Once Squid was compiled and installed I now had the following directory structure: | ||
Line 31: | Line 20: | ||
http_port 80 accel defaultsite=www.sweetnam.eu vhost | http_port 80 accel defaultsite=www.sweetnam.eu vhost | ||
forwarded_for on | |||
The default site to be served is www.sweetnam.eu and we will use vhost directives to configure the other servers. | The default site to be served is www.sweetnam.eu and we will use vhost directives to configure the other servers. In addition, the forwarded_for on is required for logging the original client address to the back end server. See below. | ||
The next lines in the configuration are merely Squids default: | The next lines in the configuration are merely Squids default: | ||
Line 41: | Line 30: | ||
acl apache rep_header Server ^Apache | acl apache rep_header Server ^Apache | ||
broken_vary_encoding allow apache | broken_vary_encoding allow apache | ||
access_log /usr/var/logs/access.log | access_log /usr/var/logs/access.log | ||
Line 126: | Line 116: | ||
http_port 80 accel defaultsite=www.sweetnam.eu vhost | http_port 80 accel defaultsite=www.sweetnam.eu vhost | ||
forwarded_for on | |||
acl QUERY urlpath_regex cgi-bin \? | acl QUERY urlpath_regex cgi-bin \? | ||
cache deny QUERY | cache deny QUERY | ||
acl apache rep_header Server ^Apache | acl apache rep_header Server ^Apache | ||
broken_vary_encoding allow apache | broken_vary_encoding allow apache | ||
access_log /usr/var/logs/access.log | access_log /usr/var/logs/access.log | ||
cache_log /usr/var/logs/cache.log | cache_log /usr/var/logs/cache.log | ||
Line 179: | Line 170: | ||
visible_hostname hostname.sample.com | visible_hostname hostname.sample.com | ||
== Configuring Logging to the back end servers == | |||
When using a reverse proxy you may notice that the logs on the back end servers will show hits as coming from the proxy rather then the client. There is a feature in Squid as noted earlier called ''forwarded_for on''. This will pass the original clients IP address to the back end server. However you need to configure a custom log format on the back end server for logging to occur. | |||
For Apache, I edited the httpd.conf and added a new line in the logging section called ''cached''. This line as it appears in my configuration file looks like this: | |||
LogFormat "%{X-Forwarded-For}i %v %u %t \"%r\" %>s %b \"%{Referer}i\"\"%{User-Agent}i\" cached | |||
Now you need to configure your default sites or virtual hosts so that they will use the new log format. Simply locate the entry for your host and change the CustomLog entry so that it looks like this: | |||
CustomLog /home/blog/logs/access_log cached | |||
Once you have configured Apache you need to restart the service. | |||
== Thanks and Credits == | |||
Many thanks are owed to Paolo Marchiori and John Moylan of the [http://www.ilug.ie Irish Linux Users Group] who helped me figure out how to pass configure the custom log format for Apache. | |||
[[Category:Technical| ]] [[Category:Web| ]] [[Category:Linux| ]] | [[Category:Technical| ]] [[Category:Web| ]] [[Category:Linux| ]] | ||
{{AdWords2}} | {{AdWords2}} |
Revision as of 14:50, 22 January 2008
Introduction
If like me your ISP provides you with a single static IP address you may think that you are limited to running one web server. Or at the very best using NAT to ports other than port 80 on other servers. There are many reasons why you would wish to use more than one webserver. For example you may wish to have Apache serving one site and Microsoft IIS 6.0 serving another or even JBoss, Tomcat or some other application server.
Background
For my scenario I wished to run Apache and PHP. Indeed it is this combination on which this very site is running. In addition to this I Once Squid was compiled and installed I now had the following directory structure:
/usr/etc/squid.conf - Squid configuration file.
/usr/var/logs - log file locations.
/usr/var/cache - location of the cache itself.
/usr/sbin/squid - location of the Squid executable.
Editing squid.conf
The supplied squid.conf is over 4000 lines long. Most of this is documentation added in the comments. For my purposes I created a new squid.conf from scratch.
By default Squid is configured to listen on TCP port 3128. As we wish to use Squid as a web server we need to tell it to listen on port 80 instead. So the first line of our new squid.conf is as follows:
http_port 80 accel defaultsite=www.sweetnam.eu vhost forwarded_for on
The default site to be served is www.sweetnam.eu and we will use vhost directives to configure the other servers. In addition, the forwarded_for on is required for logging the original client address to the back end server. See below.
The next lines in the configuration are merely Squids default:
acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /usr/var/logs/access.log cache_log /usr/var/logs/cache.log cache_store_log /usr/var/logs/store.log refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20%
The next lines are where we begin to configure the two seperate servers.
First we add a directive to tell Squid the IP address of the first server:
cache_peer 172.20.1.10 parent 80 0 no-query originserver name=server_1
You can see from above that we have given a name of server_1. All sites that will be hosted on this server will be under this group.
Next we must tell Squid the domains that will be served under server_1:
acl sites_server_1 dstdomain www.sample.com sample.com acl our_sites dstdomain www.sample.com sample.com cache_peer_access server_1 allow sites_server_1
To add more domain names simply add them after the sample ones above.
Now we will configure the second server:
cache_peer 172.20.1.4 parent 80 0 no-query originserver name=server_2 acl sites_server_2 dstdomain www.sample2.com sample2.com acl our_sites2 dstdomain www.sample2.com sample2.com cache_peer_access server_2 allow sites_server_2
And we now tell squid to allow access to the two servers:
http_access allow our_sites http_access allow our_sites2
Next we must ensure that Squids acl rules are in place. For this I simply copied the defaults:
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all icp_access allow all
The last entries in our squid.conf are specific to your server:
cache_mgr admin@sample.com cache_effective_user www-data cache_effective_group www-data visible_hostname hostname.sample.com
You may now start Squid with the following command:
/usr/sbin/squid -sY -f /usr/etc/squid.conf
Notes
All the above assumes that you have DNS configured so that each domain name that you have is pointing to the IP address of the reverse proxy.
The reverse proxy must be facing the internet. Either directly or by port forwarding.
Complete squid.conf
Here is a complete squid.conf:
http_port 80 accel defaultsite=www.sweetnam.eu vhost forwarded_for on acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /usr/var/logs/access.log cache_log /usr/var/logs/cache.log cache_store_log /usr/var/logs/store.log refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% acl sites_server_1 dstdomain www.sample.com sample.com acl our_sites dstdomain www.sample.com sample.com cache_peer_access server_1 allow sites_server_1 cache_peer 172.20.1.4 parent 80 0 no-query originserver name=server_2 acl sites_server_2 dstdomain www.sample2.com sample2.com acl our_sites2 dstdomain www.sample2.com sample2.com cache_peer_access server_2 allow sites_server_2 http_access allow our_sites http_access allow our_sites2 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all icp_access allow all cache_mgr admin@sample.com cache_effective_user www-data cache_effective_group www-data visible_hostname hostname.sample.com
Configuring Logging to the back end servers
When using a reverse proxy you may notice that the logs on the back end servers will show hits as coming from the proxy rather then the client. There is a feature in Squid as noted earlier called forwarded_for on. This will pass the original clients IP address to the back end server. However you need to configure a custom log format on the back end server for logging to occur.
For Apache, I edited the httpd.conf and added a new line in the logging section called cached. This line as it appears in my configuration file looks like this:
LogFormat "%{X-Forwarded-For}i %v %u %t \"%r\" %>s %b \"%{Referer}i\"\"%{User-Agent}i\" cached
Now you need to configure your default sites or virtual hosts so that they will use the new log format. Simply locate the entry for your host and change the CustomLog entry so that it looks like this:
CustomLog /home/blog/logs/access_log cached
Once you have configured Apache you need to restart the service.
Thanks and Credits
Many thanks are owed to Paolo Marchiori and John Moylan of the Irish Linux Users Group who helped me figure out how to pass configure the custom log format for Apache.