Say you want to run multiple hosts off a single IP address. The answer is what is known as a reverse proxy. The reverse proxy will forward requests to other servers and ports. Several reverse proxy services exist.
I happeneded to be running Squid version 3.1 on Ubuntu as a reverse proxy. This is how I went about configuring that setup.
For starters you can install squid with
sudo apt-get install squid3.
This will install the service
squid3 that can be stopped and started with
sudo service squid3 start and
sudo service squid3 stop respectively.
It will also install the configuration in
/etc/squid3/squid.conf. This configuration can be modified to turn Squid into a reverse proxy.
Note, this configuration was for 3.1 of squid, some of the configuration options have since been deprecated or are no longer necessary to configure.
Step 1: Define the listening port as a reverse proxy
The first thing you need to do is set the listening port
http_port 80 accel defaultsite=www.example.com
The http_port option takes the port number to listen to as the first parameter.
accel parameter is used to indicate it is a reverse proxy. As of version 3.2 this always defaulted to true.
The defaultsite parameter supplies a site if the host value is not provided.
For more information on configuring the listening port, refer the squid documentation on http_port.
Step 2: Configure your network
The next step is configuring the servers inside your network. These are the machines and ports that you want to forward requests to.
cache_peer 192.168.0.157 parent 80 0 proxy-only name=ubuntu-lmr cache_peer 192.168.0.150 parent 80 0 proxy-only name=desktop1 cache_peer 192.168.0.153 parent 2368 0 proxy-only name=ghost cache_peer 192.168.0.152 parent 8080 0 proxy-only name=linux-dev
This option takes the form:
cache_peer hostname type proxy_port icp_port options
Specify the hostname or IP address of the server you wish to proxy connections to. Then specify the port, and the options.
proxy-only indicates that caching will not be performed.
name parameter is used to uniquely name the peer and will be used in subsequent steps.
More information about cache_peer is available on the Squid site.
Step 3: Map domains to specify peers
Now we can map domains to a specific peer by doing the folowing
- Create an access control list (ACL) for a domain
- granting http access to the ACL
- mapping an ACL to a specific peer
# *.derpturkey.com -> matches all *.derpturkey.com acl derpturkey_acl dstdomain .derpturkey.com http_access allow derpturkey_acl cache_peer_access ghost allow derpturkey_acl
You see from the above example that we create an ACL called
derpturkey_acl for the destination domain *.derpturkey.com. We then grant http access to the
derpturkey_acl. Finally, we grant the access to the cache peer called
ghost, defined in step 2, to our
Now any request for *.derpturkey.com will get forwarded to the
ghost peer, which happens to point to 192.168.0.153:2368.
Additional rules can be defined using a similar formula.
Step 4: Additional configuration
There are few more configurations you need to specify to get things securely running. In my environment, I disable all caching, since I'm only using Squid as a reverse proxy.
# Additional ACL definitions acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl purge method PURGE acl CONNECT method CONNECT # Restrictions http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny all # Disable caching cache deny all
Full Config Example
Below is a full configuration file
# Define the listening port and default site # Declare that virtual hosts will be used for allowing # the reverse proxy http_port 80 accel vhost defaultsite=www.example.com # First we will configure the servers in our system cache_peer 192.168.0.157 parent 80 0 proxy-only name=ubuntu-lmr cache_peer 192.168.0.150 parent 80 0 proxy-only name=desktop1 cache_peer 192.168.0.153 parent 2368 0 proxy-only name=ghost cache_peer 192.168.0.152 parent 8080 0 proxy-only name=linux-dev # Create an additional ACL for local network access acl localip src 192.168.0.0/24 # Next we will map domains to the specific systems # 1) This is done by creating an ACL for the domain # 2) Then granting http access to it to allow the connection # to get through. # 3) Then mapping an acl to the specific server # .derpturkey.com -> matches all *.derpturkey.com acl ghost_acl dstdomain .derpturkey.com http_access allow ghost_acl cache_peer_access ghost allow ghost_acl # dev.listmill.com acl listmill_acl dstdomain dev.listmill.com http_access allow listmill_acl localip cache_peer_access desktop1 allow listmill_acl # linux development restricted to local network only acl plerp_acl dstdomain plerp.listmill.com http_access allow plerp_acl localip cache_peer_access linux-dev allow plerp_acl # Additional ACL definitions acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl purge method PURGE acl CONNECT method CONNECT # Restrictions http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny all # Disable caching cache deny all