Posted in Howto Linux Proxy

Squid as a reverse proxy howto

July 7, 2009 - 5 comments

The setup :

We run a virtualization server on a server in a datacenter (for example Proxmox VE), we only have 1 public IP available.
We run web servers on 2 different virtual machines inside that VM host. We want both web servers to be accessible through the public IP on port 80.

We will use the Squid Proxy to act as a “reverse proxy” (http://en.wikipedia.org/wiki/Reverse_proxy).
Squid will relay the requests to the destination depending on the hostname requested.

The machines :

Virtualization server (VM host)/Squid server : Public IP 10.20.30.40 – bridged LAN IP 172.16.5.97/255.255.0.0
VM1 : bridged LAN IP 172.16.100.25/255.255.0.0 – Hostname example.org
VM2 : bridged LAN IP 172.16.100.122/255.255.0.0 – Hostname example.net

On your client computer (optional if you already have domains) :

Edit /etc/hosts and add :

10.20.30.40 example.org
10.20.30.40 example.net

On VM1 and VM2 :

apt-get install lighttpd (or whatever web server you like)

Edit /var/www/index.ligtthpd.html and replace the content of the file by “VM1″ on VM1 and “VM2″ on VM2.

On the VM host :

If Apache listens on port tcp/80, disable it by editing /etc/apache2/ports.conf and removing or commenting “Listen 80″.

Install Squid :

apt-get install squid

Edit /etc/squid/squid.conf and find the http_port section, and add “http_port 80 vhost vport” :

http_port 3128
http_port 80 vhost vport

Then add the following section :

cache_peer 172.16.100.25 parent 80 0 no-query originserver name=server1
cache_peer_domain server1 example.org
cache_peer 172.16.100.122 parent 80 0 no-query originserver name=server2
cache_peer_domain server2 example.net

And then add the following ACL for our domains :

acl valid_domains dstdomain .example.org
acl valid_domains dstdomain .example.net

Allow requests to our domains by adding “http_access allow valid_domains” just before the “deny all” rule (at the end of ACL’s) :

http_access allow valid_domains
http_access deny all

Restart Squid :

/etc/init.d/squid restart

Back on your computer :

Make a request on example.net or .org, you should either see VM1 or VM2 displayed in your browser depending on the hostname requested.

Comments

sebastiaosantos

July 8, 2009 - 13:40

nice post.

Etienne Pouliot

July 8, 2009 - 16:12

I did a similar setup except that I used Apache instead of Squid (in french) : http://www.defitek.com/blog/2009/04/24/partager-une-adresse-ip-externe-entre-apache-et-un-autre-serveur-web/

Do you know any noticable advantage of using Squid instead of Apache ?

Sébastien Wains

July 8, 2009 - 18:33

I think the only advantage of Squid is the caching capabilities.. I may be wrong though, I went with Squid because it’s the first thing that came up to me :-)

Riccardo Riva

July 8, 2009 - 23:25

Nice post Sebastien (as ever).
As someone said before, next time consider using Apache (with mod_proxy module loaded) to do reverse proxy, simply using virtual host on Apache configuration like the following :

[...]
ProxyPass / http://172.16.100.25/
[...]

[...]
ProxyPass / http://172.16.100.122/
[...]

You should find it here :
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Bye
Riccardo

Seb

July 9, 2009 - 9:24

Thanks for the feedback Riccardo :)

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.