Sohaib's Tech Blog

Something for every one

Squid as Reverse Proxy — 2013

Squid as Reverse Proxy

Squid Reverse Proxy
Squid Reverse Proxy

1.Installing the squid proxy in the server

# yum install squid

2.All the configuration should are done at squid.conf file which is located at /etc/squid/squid.conf

Changes :

At acl Declaration :

This acls are declared to separate the http and https query.

acl port443 port 443

acl port80 port 80

Port 3128 is used for proxy so it is not used in our case so it is disabled

# Squid normally listens to port 3128

#http_port 3128

#Squid changed to default port to 80 for http  Reverse Proxy

http_port 80 accel vhost

#Squid reverse proxy port for https  Reverse Proxy

https_port 443 cert=/etc/squid/ssl/1.crt key=/etc/squid/ssl/1.key vhost

We have to provide certificate path and key path when using SSL port at this directive.

##For HTTP Reverse Proxy ##

# Directive to tell Squid the IP address 192.168.1.23 and other are of server1

cache_peer 192.168.1.23 parent 80 0 no-query no-digest originserver login=PASS name=server1

#for other Servers

#cache_peer X.X.X.X parent 80 0 no-query no-digest originserver login=PASS name=server2

#cache_peer X.X.X.X parent 80 0 no-query no-digest originserver login=PASS name=server3

To specify other caches in a hierarchy, we use the format:

cache_peer hostname or IP type http-port icp-port [options]

Parent  : type of cache

originserver :  Causes this parent to be contacted as an origin server.Meant to be used in accelerator setups when the peer is a web server.

no-query :  Disable ICP queries to this neighbor.

no-digest: Disable request of cache digests

originserver: Causes this parent to be contacted as an origin server.Meant to be used in accelerator setups when the peer is a web server.

acl sites_server1 dstdomain http://www.YOURDOMAIN.com YOURDOMAIN.com

#acl sites_server2 dstdomain server2.domain.com

#acl sites_server3 dstdomain server3.domain.com

#Cache Peer Directive to map corresponding sites

cache_peer_access server1 allow sites_server1 port80

#cache_peer_access server2 allow sites_server2 port80

#cache_peer_access server3 allow sites_server3 port80

#Allow  Access to the sites

http_access allow sites_server1

#http_access allow sites_server2

#http_access allow sites_server3

##For HTTPS Reverse Proxy ##

# Directive to tell Squid the IP address of the servers 209.251.48.72 and other are private ip address hosted inside the network

cache_peer 192.168.1.23 parent 443 0 no-query no-digest originserver ssl sslflags=DONT_VERIFY_PEER  login=PASS name=sslserver1

#for other Servers

#cache_peer X.X.X.X parent 80 0 no-query no-digest originserver ssl sslflags=DONT_VERIFY_PEER  login=PASS name=sslserver2

#cache_peer X.X.X.X parent 80 0 no-query no-digest originserver ssl sslflags=DONT_VERIFY_PEER  login=PASS name=sslserver3

acl sites_ssl_server1 dstdomain  http://www.YOURDOMAIN.com

#acl sites_ssl_server2 dstdomain server2.domain.com

#acl sites_ssl_server3 dstdomain server3.domain.com

#Cache Peer Directive to map corresponding sites

cache_peer_access sslserver1 allow sites_ssl_server1 port443

#cache_peer_access sslserver2 allow sites_ssl_server2  port443

#cache_peer_access sslserver3 allow sites_ssl_server3   port 443

#Allow  Access to the sites

http_access allow sites_ssl_server1

#http_access allow sites_ssl_server2

#http_access allow sites_ssl_server3

##This last line is compulsion to avoid proxy to be used for other site browsing

http_access deny all

Command to reload squid :

# /etc/init.d/squid reload

or simply

# squid reload

3. Generating SSL Signing request

Generate a ‘key’ file that tells our server apart from other servers. If we dont  have openssl already installed on our machine, we can install it using

yum install openssl

Then changed to the directory to the place we would like to store certificates . In  our  case, I chose:

mkdir /etc/squid/ssl

cd ssl

openssl genrsa -out 1.key 2048

This will spit out a key for our server to create the CSR which is what we need to send to send to  SSL authority in order to get the required files to finish the setup. Next we generate a CSR (so in the same directory):

openssl req -new -key 1.key -out 1.csr

we have to send the contents of this CSR to SSL authority  received the signed certificate as crt but in our case we have already a key and certificate so it was added to ssl folder and renamed accordingly.

The received crt was renamed to 1.crt and added to /etc/squid/ssl/

4. Appending ca certificate to main certificate file (1 .crt)

Following command was executed:

ssl.ca was ca certificate received from signing authority

cat ssl.ca >> 1.crt

A self signed certificate can be generated for testing purpose as :

openssl x509 -req -days 3650 -in 1.csr -signkey 1.key -out selfsign.crt

Advertisements