Recently my boss assigned me to work on SQUID reverse proxy. I thought it’s an easy task and started working on it. But when days started going on, I realised that it’s not going to happen in a night. And at last I found the solution some two days back. This post is about How to implement SQUID as a reverse proxy? If you want to know more about for what purpose we require reverse proxy and which reverse proxy is good please refer my other post here.
Before Installing and configuring SQUID as reverse proxy I just want to add the below point(s).
- Don’t install SQUID from package installations such as rpm in Redhat and apt-get/deb in Debain.
- Download the source package from squid official site, then compile it and install it according to your needs.
- In order to SQUID run perfectly please change the ownership of the installation folder to squid.
- By default SQUID will not create cache directory in the installation directory, so we have to create it manually with ownership as squid user and we have to execute squid –z in order to SQUID work properly which will create.
Don’t worry about all these points. I will explain these points once we start configuring SQUID.
Prerequired packages:
1)gcc compiler
2)openSSL
So let’s start how to implement SQUID on RHEL5/CENTOS5
Step1 : Remove any squid package if it’s installed by default through rpm/deb packages.
#rpm –e squid
Step2 : Download latest SQUID package from SQUID official site to some temp directory
#mkdir /temp
#cd /temp
#wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE23.tar.gz
Step3 : Uncompress the downloaded tar.gz package.
#tar xvfz squid-2.6.STABLE23.tar.gz
Step4 : Prepare the uncompressed package for installation. If you are new to installing source package have a look in to this post.
#cd squid-2.6.STABLE23
#./configure –prefix=/opt/squid –enable-ssl –disable-internal-dns –with-openssl
Let me explain the options used for the compilation.
a. –prefix=/opt/squid This option tells that install all the squid related files in /opt/squid, if you don’t specify this option by default squid will be installed in /usr.
b. –enable-ssl this option is used for supporting SSL in squid server.
c.–disable-internal-dns most confusing option of all, this will tell squid to use it’s own internal DNS server which will take inputs from /etc/hosts file, it will block squid to use /etc/resovl.conf for name resolution.
d. –with-openssl will enable openSSL properties on squid
d. –with-openssl will enable openSSL properties on squid
Step5 : Install the SQIUD package now.
#make
#make check
#make install
Step6: Once compiled properly Create squid user(A normal user) if the squid user is not there
#useradd squid
Step7: Specify the effective user entry in squid.conf file with squid as username by editing it.
#vi /opt/squid/etc/squid.conf
change the entry from
# cache_effective_user nouser
to
cache_effective_user squid
Save the file and exit now
Step8: Now change the owner ship of the cache folder to squid user
#chown -R squid.squid /opt/squid/var/cache
Step9 : Once installed successfully we have to create cache folder/swap folder in /opt/squid/var/log/cache/
#/opt/squid/sbin/squid –z
Step10 : Configuration Squid
Step(10a) : Open the squid.conf file and specify the http_port entry, just search for http_port in squid.conf and specify as said
below.
below.
Note : It’s a good practice in admin activity to take backup of any file before modifying it, so just copy the squid.conf to a safe location and then edit the squid.conf in /opt/squid/etc/
#vi /opt/squid/etc/squid.conf
http_port 10.77.225.20:80 accel vhost
Let me explain above line
http_port is the option where you can specify on which port your squid server will listen for incoming requests.
10.77.225.20 is the ip address of the squid machine. This should be a public ip address.
:80 is the port where the squid listen.
accel vhost is accelerator mode using Host header for virtual domain support. Implies accel.
Step(10b) : Specify backend server details as follows
cache_peer 10.88.26.12 parent 80 0 no-query originserver name=server_1 login=PASS
acl sites_server_1 dstdomain web425.example.co.in
cache_peer_access server_1 allow sites_server_1
Let me explain what actually the above three lines meant for.
First line specifies cache_peer is the option used to specify the backend server ip address(10.88.26.12)
back end webserver port(80) then just say to squid server, from where the quiery is originating.(originservername=server_1)
type of access(login=pass is used to specify how to access squid server from backend)
Second line specifies acl(access control list for the backend server here in this case it is web425.example.co.in)
Third line specifies allowing of this backend server(sites_server_1) to squid server(server_1).
Note : Make a note that above 3 lines for giving access to cache purpose, still we did not give http access for this site.
Step(10c) : Giving http access to backend site
acl http_accl_host1 dst web425.persistent.co.in
http_access allow http_accl_host1
The above two acl’s are used to specify backend server and it’s self explanatory.
Step11 : Check any syntax errors are there in the squid config file by using following command
#/opt/squid/sbin/squid -k check
#/opt/squid/sbin/squid -k parse
#/opt/squid/sbin/squid -k parse
If your system didn’t throw any error then proceed to next step, otherwise please try to debug or write a comment on this will respond to you people.
Step12 : Now Create the cache and swap related entries
#mkdir /opt/squid/var/logs/cache
#/opt/squid/sbin/squid –z
Just a clipped output for the reference…
#[root@ser1 ~]# /opt/squid/sbin/squid -z
2009/12/28 19:27:57| Creating Swap Directories
[root@ser1 ~]# tail -f /opt/squid/
bin/ etc/ libexec/ sbin/ share/ var/
[root@ser1 ~]# tail -f /opt/squid/var/logs/cache.log
Memory usage for squid via mallinfo():
Total space in arena : 2516 KB
Ordinary blocks : 2454 KB 11 blks
Small blocks : 0 KB 6 blks
Holding blocks : 236 KB 1 blks
Free Small blocks : 0 KB
Free Ordinary blocks : 61 KB
Total in use : 2690 KB 98%
Total free : 61 KB 2%
2009/12/28 15:12:16| Squid Cache (Version 2.6.STABLE23): Exiting normally.
Step13 : Working on DNS related stuff.
Step(13a) : Specify the backend servers related info in /etc/hosts file10.88.26.12 web425.example.com web425.
Step(13b) : Please remove the /etc/resolve.conf file entries if any, to disable dns queries to DNS server.
The below step is important step in configuring revers proxy.
Step(13c ) : Please specify the entries for the backend servers in your DNS servers. So that if any one accessing from outside of your network they should be redirected to your reverse proxy server which will serve you the backend web content.
So in DNS web425.example.co.in entry should be redirected to your reverse proxy server IP address.
Step14 : Change the ownership permissions of /opt/squid to squid user
#chown squid:squid –R /opt/squid
Step15 : Starting Squid reverse proxy
#/opt/squid/sbin/squid –D
-D is the option to disable external DNS server entries.
Please follow for other related topics such as troubleshooting reverse proxy server in my next posts:-)