How to set up a Squid reverse proxy of Mir

See also ApacheReverseProxy

Install Squid

Debian

apt-get install squid

OpenBSD

cd /usr/ports/www/squid && make && make install

Configure Squid

The following directives will need tweaking:

http_port 80.82.245.142:80 accel defaultsite=216.32.68.26 vhost

The first ip:host is where we will listen, the defaultsite=ip is what will be returned on a straight GET / with no Host header.

Proxying HTTPS

https_port 80.82.245.142:443 accel defaultsite=216.32.68.26 vhost cert=/etc/squid/squid1_crt.pem key=/etc/squid/squid1_privatekey.pem options=NO_SSLv2,SINGLE_DH_USE cipher=HIGH

This tells Squid to also listen on port 443 for https based connections. Note the use of options and cipher to enforce strong crypto. We use the notes on CaCertSsl to create our certificate.

Originally we had:

cache_peer 216.32.68.26 parent 80 0 no-query originserver

This defined the origin server which is necessary for a reverse proxy. In this case our origin is chavez.indymedia.org (216.32.68.26). This meant that all traffic goes over HTTP from our reverse proxy to chavez.indymedia.org.

We improved this further to:

cache_peer 204.13.164.124 parent 80 0 no-query originserver name=http_www.indymedia.org.uk

cache_peer 204.13.164.124 parent 443 0 no-query originserver ssl sslversion=4 ssloptions=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslcipher=HIGH sslcafile=/etc/squid/cacert.crt name=https_www.indymedia.org.uk

This defines two peers, one for http and one for https. Note that we set sslcafile to point at the CA Cert's certificate. Also note the use of sslversion, ssloptions and sslcipher to enforce strong crypto.

cache_peer_access http_www.indymedia.org.uk allow http

cache_peer_access https_www.indymedia.org.uk allow https

This specifies that access to each of the named cache peers is determined by ACLs.

acl http myport 80

acl https myport 443

This defines ACLs that match based on the port to which the client has connected.

Supporting multiple origin servers

Later we added support for twincities.indymedia.org, this required some further changes:

Fistly we defined some new ACLs:

acl twincities.indymedia.org dstdomain www2.tc.indymedia.org twincities.indymedia.org www.twincities.indymedia.org minneapolis.indymedia.org www.minneapolis.indymedia.org tc.indymedia.org www.tc.indymedia.org tc-imc.serve.com

acl uk.indymedia.org dstdomain squid1.indymedia.org uk.indymedia.org .indymedia.org.uk

This defines ACLs that match based on the Host header sent by the client. For example, the ACL uk.indymedia.org matches the squid1.indymedia.org, uk.indymedia.org and *indymedia.org.uk hosts.

Secondly we changed our cache_peer_access directives as follows:

cache_peer_access http_twincities.indymedia.org allow http twincities.indymedia.org

cache_peer_access http_www.indymedia.org.uk allow http uk.indymedia.org

cache_peer_access https_www.indymedia.org.uk allow https uk.indymedia.org

This specifies that access to each of the named cache peers is determined by ACLs including the new ones based on the Host header sent by the client.

Because the origin server only responds to the twincities.indymedia.org, our cache peer definition:

cache_peer 65.23.159.121 parent 80 0 no-query originserver name=http_twincities.indymedia.org forceddomain=twincities.indymedia.org

Includes the directive forceddomain=twincities.indymedia.org which tells Squid to rewrite the Host header on requests to the origin server to twincities.indymedia.org.

Logging or not...

logformat squid %ts.%03tu %6tr %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt

This we've modified to prevent client IPs being logged by removing %>a.

Disabling forwarding of client IPs

forwarded_for off

Tuning resource usage

cache_mem 256 MB

This controls how much RAM to use for caching.

cache_dir ufs /var/squid/cache 1000 16 256

The key here is 1000. This allocates 1000Mb of disk space to Squid for caching.

maximum_object_size 512 MB

The maximum object size to keep

quick_abort_max 1 MB

If connection is aborted, don't finish download if remaining size is greater than this

refresh_pattern ^http: 1440 80% 10080 reload-into-ims

This is basically saying, consider fresh for a long time

Result

This has the effect of reverse proxying all traffic to chavez.indymedia.org:80 allowing us to respond for any web site hosted on that web server.

Further ideas

Setting up a cluster of Squid reverse proxies

Adding proxy1.indymedia.org.uk to DNS records for all chavez hosted web sites

Adding further Mir web servers in addition to chavez

More information

Squid's own notes on reverse proxies

-- TimBrown - 06 Oct 2007

-- TimBrown - 13 Mar 2008 - Added SSL support

-- TimBrown - 30 Aug 2008 - Added support for multiple origin servers

-- TimBrown - 02 Sep 2009 - Disabling X-Forwarded-For, merged stefani's notes from Operation Squid

Topic revision: r5 - 02 Sep 2009 - 19:27:04 - TimBrown
 
This site is powered by FoswikiCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback