How to set up a Squid reverse proxy of Mir
See also ApacheReverseProxy
apt-get install squid
cd /usr/ports/www/squid && make && make install
The following directives will need tweaking:
http_port 18.104.22.168:80 accel defaultsite=22.214.171.124 vhost
The first ip:host is where we will listen, the defaultsite=ip is what will be returned on a straight GET / with no Host header.
https_port 126.96.36.199:443 accel defaultsite=188.8.131.52 vhost cert=/etc/squid/squid1_crt.pem key=/etc/squid/squid1_privatekey.pem options=NO_SSLv2,SINGLE_DH_USE cipher=HIGH
This tells Squid to also listen on port 443 for https based connections. Note the use of options and cipher to enforce strong crypto. We use the notes on CaCertSsl
to create our certificate.
Originally we had:
cache_peer 184.108.40.206 parent 80 0 no-query originserver
This defined the origin server which is necessary for a reverse proxy. In this case our origin is chavez.indymedia.org (220.127.116.11). This meant that all traffic goes over HTTP from our reverse proxy to chavez.indymedia.org.
We improved this further to:
cache_peer 18.104.22.168 parent 80 0 no-query originserver name=http_www.indymedia.org.uk
cache_peer 22.214.171.124 parent 443 0 no-query originserver ssl sslversion=4 ssloptions=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslcipher=HIGH sslcafile=/etc/squid/cacert.crt name=https_www.indymedia.org.uk
This defines two peers, one for http and one for https. Note that we set sslcafile to point at the CA Cert's certificate. Also note the use of sslversion, ssloptions and sslcipher to enforce strong crypto.
cache_peer_access http_www.indymedia.org.uk allow http
cache_peer_access https_www.indymedia.org.uk allow https
This specifies that access to each of the named cache peers is determined by ACLs.
acl http myport 80
acl https myport 443
This defines ACLs that match based on the port to which the client has connected.
Supporting multiple origin servers
Later we added support for twincities.indymedia.org, this required some further changes:
Fistly we defined some new ACLs:
acl twincities.indymedia.org dstdomain www2.tc.indymedia.org twincities.indymedia.org www.twincities.indymedia.org minneapolis.indymedia.org www.minneapolis.indymedia.org tc.indymedia.org www.tc.indymedia.org tc-imc.serve.com
acl uk.indymedia.org dstdomain squid1.indymedia.org uk.indymedia.org .indymedia.org.uk
This defines ACLs that match based on the Host header sent by the client. For example, the ACL uk.indymedia.org matches the squid1.indymedia.org, uk.indymedia.org and *indymedia.org.uk hosts.
Secondly we changed our cache_peer_access directives as follows:
cache_peer_access http_twincities.indymedia.org allow http twincities.indymedia.org
cache_peer_access http_www.indymedia.org.uk allow http uk.indymedia.org
cache_peer_access https_www.indymedia.org.uk allow https uk.indymedia.org
This specifies that access to each of the named cache peers is determined by ACLs including the new ones based on the Host header sent by the client.
Because the origin server only responds to the twincities.indymedia.org, our cache peer definition:
cache_peer 126.96.36.199 parent 80 0 no-query originserver name=http_twincities.indymedia.org forceddomain=twincities.indymedia.org
Includes the directive forceddomain=twincities.indymedia.org which tells Squid to rewrite the Host header on requests to the origin server to twincities.indymedia.org.
Logging or not...
logformat squid %ts.%03tu %6tr %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
This we've modified to prevent client IPs being logged by removing %>a.
Disabling forwarding of client IPs
Tuning resource usage
cache_mem 256 MB
This controls how much RAM to use for caching.
cache_dir ufs /var/squid/cache 1000 16 256
The key here is 1000. This allocates 1000Mb of disk space to Squid for caching.
maximum_object_size 512 MB
The maximum object size to keep
quick_abort_max 1 MB
If connection is aborted, don't finish download if remaining size is greater than this
refresh_pattern ^http: 1440 80% 10080 reload-into-ims
This is basically saying, consider fresh for a long time
This has the effect of reverse proxying all traffic to chavez.indymedia.org:80 allowing us to respond for any web site hosted on that web server.
Setting up a cluster of Squid reverse proxies
Adding proxy1.indymedia.org.uk to DNS records for all chavez hosted web sites
Adding further Mir web servers in addition to chavez
Squid's own notes on reverse proxies
- 06 Oct 2007
- 13 Mar 2008 - Added SSL support
- 30 Aug 2008 - Added support for multiple origin servers
- 02 Sep 2009 - Disabling X-Forwarded-For, merged stefani's notes from Operation Squid