Thursday, August 12, 2010

Configuration of SQUID Reverse Proxy


Before Installing and configuring SQUID as reverse proxy I just want to add the below point(s).
  1. Don’t install SQUID from package installations such as rpm in Redhat and apt-get/deb in Debain.
  2. Download the source package from squid official site, then compile it and install it according to your needs.
  3. In order to SQUID run perfectly please change the ownership of the installation folder to squid.
  4. By default SQUID will not create cache directory in the installation directory, so we have to create it manually with ownership as squid user and we have to execute squid –z in order to SQUID work properly which will create.

Don’t worry about all these points. I will explain these points once we start configuring SQUID.

So let’s start how to implement SQUID on RHEL5/CENTOS5

Step1 : Remove any squid package if it’s installed by default through rpm/deb packages.
#rpm e squid

Step2 : Download latest SQUID package from SQUID official site to some temp directory
#mkdir /temp
#cd /temp 
#wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE23.tar.gz

Step3 Uncompress the downloaded tar.gz package.
#tar xvfz squid-2.6.STABLE23.tar.gz

Step4 : Prepare the uncompressed package for installation. If you are new to installing source package have a look in to this post.
#cd squid-2.6.STABLE23
#./configure --prefix=/opt/squid --enable-ssl --disable-internal-dns

Let me explain the options used for the compilation.
a. --prefix=/opt/squid This option tells that install all the squid related files in /opt/squid, if you don’t specify this option by default squid will be installed in /usr.

b. --enable-ssl this option is used for supporting SSL in squid server.

c.--disable-internal-dns most confusing option of all, this will tell squid to use its own internal DNS serverwhich will take inputs from /etc/hosts file, it will block squid to use /etc/resovl.conf for name resolution.

Step5 : Install the SQIUD package now.
#make
#make check
#make install

Step6 : Once installed successfully we have to create cache folder/swap folder in /opt/squid/var/log/cache/
#/opt/squid/sbin/squid z

Step7 : Configuration Squid

Step(7a) Open the squid.conf file and specify the http_port entry, just search for http_port in squid.conf and specify as said below.

Note : It’s a good practice in admin activity to take backup of any file before modifying it, so just copy thesquid.conf to a safe location and then edit the squid.conf in /opt/squid/etc/
#vi /opt/squid/etc/squid.conf
http_port 10.77.225.20:80 accel vhost

Let me explain above line
http_port is the option where you can specify on which port your squid server will listen for incoming requests.
10.77.225.20 is the ip address of the squid machine. This should be a public ip address. 
:80 is the port where the squid listen. 
accel vhost is accelerator mode using Host header for virtual domain supportImplies accel.

Step(7b) : Specify backend server details as follows
cache_peer 10.88.26.12 parent 80 0 no-query originserver name=server_1 login=PASS
acl sites_server_1 dstdomain web425.example.co.in
cache_peer_access server_1 allow sites_server_1
Let me explain what actually the above three lines meant for.
First line specifies cache_peer is the option used to specify the backend server ip address(10.88.26.12)
back end webserver port(80) then just say to squid server, from where the quiery is originating.(originservername=server_1)
type of access(login=pass is used to specify how to access squid server from backend)

Second line specifies acl(access control list for the backend server here in this case it is web425.example.co.in)

Third line specifies allowing of this backend server(sites_server_1) to squid server(server_1).

Note : Make a note that above 3 lines for giving access to cache purpose, still we did not give http access for this site.

Step(7c) : Giving http access to backend site
acl http_accl_host1 dst web425.persistent.co.in
http_access allow http_accl_host1
The above two acl’s are used to specify backend server and its self explanatory.

Step8 Check any syntax errors are there in the squid config file by using following command
#/opt/squid/sbin/squid -k check
#/opt/squid/sbin/squid -k parse

If your system didn’t throw any error then proceed to next step, otherwise please try to debug or write a comment on this will respond to you people.

Step9 : Now Create the cache and swap related entries
#mkdir /opt/squid/var/logs/cache
#/opt/squid/sbin/squid z
Just a clipped output for the reference…
#[root@ser1 ~]# /opt/squid/sbin/squid -z
2009/12/28 19:27:57| Creating Swap Directories
[root@ser1 ~]# tail -f /opt/squid/
bin/ etc/ libexecsbin/ share/ var/
[root@ser1 ~]# tail -f /opt/squid/var/logs/cache.log
Memory usage for squid via mallinfo():
Total space in arena : 2516 KB
Ordinary blocks : 2454 KB 11 blks
Small blocks : 0 KB 6 blks
Holding blocks : 236 KB 1 blks
Free Small blocks : 0 KB
Free Ordinary blocks : 61 KB
Total in use : 2690 KB 98%
Total free : 61 KB 2%
2009/12/28 15:12:16| Squid Cache (Version 2.6.STABLE23): Exiting normally.

Step10 Working on DNS related stuff.

Step(10a) : Specify the backend servers related info in /etc/hosts file10.88.26.12web425.example.com web425.

Step(10b) : Please remove the /etc/resolve.conf file entries if any, to disable dns queries to DNS server.
The below step is important step in configuring revers proxy.

Step(10c ) Please specify the entries for the backend servers in your DNS servers. So that if any one accessing from outside of your network they should be redirected to your reverse proxy server which will serve you thebackend web content.
So in DNS web425.example.co.in entry should be redirected to your reverse proxy server IP address.

Step11 Change the ownership permissions of /opt/squid to squid user
#chown squid:squid –R /opt/squid

Step12 Starting Squid reverse proxy
#/opt/squid/sbin/squid –D
-D is the option to disable external DNS server entries.