squid – reverse proxy

Great guide here – http://www.classhelper.org/articles/reverse-proxy-server-squid-debian/installing-squid-proxy-server.shtml

I’ve modified slightly for Ubuntu, but almost identical.

apt-get install squid
cp /etc/squid3/squid.conf /etc/squid3/squid.bak
rm /etc/squid3/squid.conf
nano /etc/squid/squid.conf

http_port 80 defaultsite=www.yoursite.com vhost
forwarded_for on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
cache_peer 192.168.0.13 parent 80 0 no-query no-digest originserver name=web1
acl sites_web1 dstdomain www.yoursite.com yoursite.com
cache_peer_access web1 allow sites_web1
cache_peer 192.168.0.14 parent 80 0 no-query no-digest originserver name=web2
acl sites_web2 dstdomain www.anothersite.com anothersite.com
cache_peer_access web2 allow sites_web2
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access allow sites_web1
http_access allow sites_web2
http_access allow manager all
http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access deny all
access_log /var/log/squid3/access.log
cache_mgr support@yoursite.com

 

Modify your hosts file to include web1 and web2

nano /etc/hosts

192.168.0.13 web1
192.168.0.14 web2

Another good article about benefits of reverse proxy

http://2bits.com/articles/increasing-drupals-speed-squid-caching-reverse-proxy.html

Using netsh to create a transparent proxy

There are some good windows web proxies about. The only problem with them is they sometimes dont natively act as a transparent proxy. i.e. typically you’ll need to set your client machines to a specific IP and port.

I’ve used squid historically when setting up transparent proxies (mainly since it actually has a transparent mode) and this has worked well. Recently i thought i’d have a go at some of the windows solutions to see how they pan out.

netsh is going to be the tool to assist in this case. Here is a typical use for netsh;

netsh

>add v4tov4 listenport=80 connectaddress=127.0.0.1  connectport=8080

This should grab all traffic that hits your machine bound for port 80 and redirect to port 8080.

You’ll also need to make sure that routing is enabled, so your machine can act as a gateway between the requests and the real outbound gateway (typically your dsl modem)

squid – your transparent proxy friend

Still my favourite light and fast web proxy is Squid. Its very easy to setup and get running on almost all flavours of linux. You can find it here http://www.squid-cache.org/ but will probably find it in your local package manager…

This is for more my own reference… as i don’t think too many people have the need for a transparent proxy. You only need one NIC configured on your VM / machine as its most probably on the same subnet as your dsl etc…

1. Setup squid working as a proxy first!

Set the default gateway on the NIC to your router. I also added a default route 0.0.0.0 sub 0.0.0.0 to the router also just in case the default route didn’t work. But seemed to!

Setup DNS! remember you should be able to resolve a name to an IP without issues (can cause most of the problems) Point your default DNS to your router (most have built in DNS forwarders), else you can just use your ISP’s DNS’s

2. Change the squid.config to have the necessary changes to act as a transparent proxy;

nano /etc/squid/squid.conf

http_port 3128 transparent

3. Put this into the startup script; (usually in rc.d under etc) rc.local

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

This redirects standard tcp requests to 3128 (squid’s port)… transparent to user

4. Ensure that IP forwarding is ENABLED;

change ip_forward from 0 to 1 (usually a txt file somewhere with 0 in it), do a search and you will find it… most probably in the ipv4 directory. This way all 443 (https and other apps) can forward to the web without issue…

echo 1 > /proc/sys/net/ipv4/ip_forward

Should be it…. else good luck!

Update: I have done an updated post about configuring open solaris as a transparent proxy here : http://sigtar.com/2009/04/22/opensolaris-configuring-squid-as-transparent-proxy/