Say you want to run multiple hosts off a single IP address. The answer is what is known as a reverse proxy. The reverse proxy will forward requests to other servers and ports. Several reverse proxy services exist.
I happeneded to be running Squid version 3.1 on Ubuntu as a reverse proxy. This is how I went about configuring that setup.
Installation
For starters you can install squid with sudo apt-get install squid3
.
This will install the service squid3
that can be stopped and started with sudo service squid3 start
and sudo service squid3 stop
respectively.
It will also install the configuration in /etc/squid3/squid.conf
. This configuration can be modified to turn Squid into a reverse proxy.
Configuration
Note, this configuration was for 3.1 of squid, some of the configuration options have since been deprecated or are no longer necessary to configure.
Step 1: Define the listening port as a reverse proxy
The first thing you need to do is set the listening port
http_port 80 accel defaultsite=www.example.com
The http_port option takes the port number to listen to as the first parameter.
The accel
parameter is used to indicate it is a reverse proxy. As of version 3.2 this always defaulted to true.
The defaultsite parameter supplies a site if the host value is not provided.
For more information on configuring the listening port, refer the squid documentation on http_port.
Step 2: Configure your network
The next step is configuring the servers inside your network. These are the machines and ports that you want to forward requests to.
cache_peer 192.168.0.157 parent 80 0 proxy-only name=ubuntu-lmr
cache_peer 192.168.0.150 parent 80 0 proxy-only name=desktop1
cache_peer 192.168.0.153 parent 2368 0 proxy-only name=ghost
cache_peer 192.168.0.152 parent 8080 0 proxy-only name=linux-dev
This option takes the form:
cache_peer hostname type proxy_port icp_port options
Specify the hostname or IP address of the server you wish to proxy connections to. Then specify the port, and the options.
The proxy-only
indicates that caching will not be performed.
The name
parameter is used to uniquely name the peer and will be used in subsequent steps.
More information about cache_peer is available on the Squid site.
Step 3: Map domains to specify peers
Now we can map domains to a specific peer by doing the folowing
- Create an access control list (ACL) for a domain
- granting http access to the ACL
- mapping an ACL to a specific peer
# *.derpturkey.com -> matches all *.derpturkey.com
acl derpturkey_acl dstdomain .derpturkey.com
http_access allow derpturkey_acl
cache_peer_access ghost allow derpturkey_acl
You see from the above example that we create an ACL called derpturkey_acl
for the destination domain *.derpturkey.com. We then grant http access to the derpturkey_acl
. Finally, we grant the access to the cache peer called ghost
, defined in step 2, to our derpturkey_acl
.
Now any request for *.derpturkey.com will get forwarded to the ghost
peer, which happens to point to 192.168.0.153:2368.
Additional rules can be defined using a similar formula.
Step 4: Additional configuration
There are few more configurations you need to specify to get things securely running. In my environment, I disable all caching, since I'm only using Squid as a reverse proxy.
# Additional ACL definitions
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl purge method PURGE
acl CONNECT method CONNECT
# Restrictions
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny all
# Disable caching
cache deny all
Full Config Example
Below is a full configuration file
# Define the listening port and default site
# Declare that virtual hosts will be used for allowing
# the reverse proxy
http_port 80 accel vhost defaultsite=www.example.com
# First we will configure the servers in our system
cache_peer 192.168.0.157 parent 80 0 proxy-only name=ubuntu-lmr
cache_peer 192.168.0.150 parent 80 0 proxy-only name=desktop1
cache_peer 192.168.0.153 parent 2368 0 proxy-only name=ghost
cache_peer 192.168.0.152 parent 8080 0 proxy-only name=linux-dev
# Create an additional ACL for local network access
acl localip src 192.168.0.0/24
# Next we will map domains to the specific systems
# 1) This is done by creating an ACL for the domain
# 2) Then granting http access to it to allow the connection
# to get through.
# 3) Then mapping an acl to the specific server
# .derpturkey.com -> matches all *.derpturkey.com
acl ghost_acl dstdomain .derpturkey.com
http_access allow ghost_acl
cache_peer_access ghost allow ghost_acl
# dev.listmill.com
acl listmill_acl dstdomain dev.listmill.com
http_access allow listmill_acl localip
cache_peer_access desktop1 allow listmill_acl
# linux development restricted to local network only
acl plerp_acl dstdomain plerp.listmill.com
http_access allow plerp_acl localip
cache_peer_access linux-dev allow plerp_acl
# Additional ACL definitions
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl purge method PURGE
acl CONNECT method CONNECT
# Restrictions
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny all
# Disable caching
cache deny all