 |
|
You are here: Foswiki>Sysadmin Web>SquidReverseProxy (02 Sep 2009, TimBrown)Edit Attach
How to set up a Squid reverse proxy of Mir
See also ApacheReverseProxyInstall Squid
Debian
apt-get install squidOpenBSD
cd /usr/ports/www/squid && make && make installConfigure Squid
The following directives will need tweaking: http_port 80.82.245.142:80 accel defaultsite=216.32.68.26 vhost The first ip:host is where we will listen, the defaultsite=ip is what will be returned on a straight GET / with no Host header.Proxying HTTPS
https_port 80.82.245.142:443 accel defaultsite=216.32.68.26 vhost cert=/etc/squid/squid1_crt.pem key=/etc/squid/squid1_privatekey.pem options=NO_SSLv2,SINGLE_DH_USE cipher=HIGH This tells Squid to also listen on port 443 for https based connections. Note the use of options and cipher to enforce strong crypto. We use the notes on CaCertSsl to create our certificate. Originally we had: cache_peer 216.32.68.26 parent 80 0 no-query originserver This defined the origin server which is necessary for a reverse proxy. In this case our origin is chavez.indymedia.org (216.32.68.26). This meant that all traffic goes over HTTP from our reverse proxy to chavez.indymedia.org. We improved this further to: cache_peer 204.13.164.124 parent 80 0 no-query originserver name=http_www.indymedia.org.uk cache_peer 204.13.164.124 parent 443 0 no-query originserver ssl sslversion=4 ssloptions=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslcipher=HIGH sslcafile=/etc/squid/cacert.crt name=https_www.indymedia.org.uk This defines two peers, one for http and one for https. Note that we set sslcafile to point at the CA Cert's certificate. Also note the use of sslversion, ssloptions and sslcipher to enforce strong crypto. cache_peer_access http_www.indymedia.org.uk allow http cache_peer_access https_www.indymedia.org.uk allow https This specifies that access to each of the named cache peers is determined by ACLs. acl http myport 80 acl https myport 443 This defines ACLs that match based on the port to which the client has connected.Supporting multiple origin servers
Later we added support for twincities.indymedia.org, this required some further changes: Fistly we defined some new ACLs: acl twincities.indymedia.org dstdomain www2.tc.indymedia.org twincities.indymedia.org www.twincities.indymedia.org minneapolis.indymedia.org www.minneapolis.indymedia.org tc.indymedia.org www.tc.indymedia.org tc-imc.serve.com acl uk.indymedia.org dstdomain squid1.indymedia.org uk.indymedia.org .indymedia.org.uk This defines ACLs that match based on the Host header sent by the client. For example, the ACL uk.indymedia.org matches the squid1.indymedia.org, uk.indymedia.org and *indymedia.org.uk hosts. Secondly we changed our cache_peer_access directives as follows: cache_peer_access http_twincities.indymedia.org allow http twincities.indymedia.org cache_peer_access http_www.indymedia.org.uk allow http uk.indymedia.org cache_peer_access https_www.indymedia.org.uk allow https uk.indymedia.org This specifies that access to each of the named cache peers is determined by ACLs including the new ones based on the Host header sent by the client. Because the origin server only responds to the twincities.indymedia.org, our cache peer definition: cache_peer 65.23.159.121 parent 80 0 no-query originserver name=http_twincities.indymedia.org forceddomain=twincities.indymedia.org Includes the directive forceddomain=twincities.indymedia.org which tells Squid to rewrite the Host header on requests to the origin server to twincities.indymedia.org.Logging or not...
logformat squid %ts.%03tu %6tr %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt This we've modified to prevent client IPs being logged by removing %>a.Disabling forwarding of client IPs
forwarded_for offTuning resource usage
cache_mem 256 MB This controls how much RAM to use for caching. cache_dir ufs /var/squid/cache 1000 16 256 The key here is 1000. This allocates 1000Mb of disk space to Squid for caching. maximum_object_size 512 MB The maximum object size to keep quick_abort_max 1 MB If connection is aborted, don't finish download if remaining size is greater than this refresh_pattern ^http: 1440 80% 10080 reload-into-ims This is basically saying, consider fresh for a long timeResult
This has the effect of reverse proxying all traffic to chavez.indymedia.org:80 allowing us to respond for any web site hosted on that web server.Further ideas
Setting up a cluster of Squid reverse proxies Adding proxy1.indymedia.org.uk to DNS records for all chavez hosted web sites Adding further Mir web servers in addition to chavezMore information
Squid's own notes on reverse proxies -- TimBrown - 06 Oct 2007 -- TimBrown - 13 Mar 2008 - Added SSL support -- TimBrown - 30 Aug 2008 - Added support for multiple origin servers -- TimBrown - 02 Sep 2009 - Disabling X-Forwarded-For, merged stefani's notes from Operation SquidEdit | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 02 Sep 2009, TimBrown
- Sysadmin Web
- Home
- What's new
- Topics
- Search
-
RSS Feed
- Email web changes
- Tech working groups
- IMC Tech
- Sysadmin
- DNS
- Listwork
- IMC Docs
- IRCd
- IMC Security
- Global Website
- IMC Database
- Keyserver
- SoS
- All sections
- Global network
- Local IMCs
- Tech
- Sandbox
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Foswiki? Send feedback