Reverse Proxy with squid and multiple virtual host
This post is to document down the detail that I did to configure a squid as reverse proxy and also enable LDAP authentication . Not only that , I need the squid reverse proxy able to handle virtual host as well. I did a search at google and didn't find any exact match for my requirement so I did one for my self.
I have 3 physical web server but I only have one public ip.
Here is my requirement.
1. All three web server have to listen at port 80 and must be able to access from internet.
2. Some web site need authentication and some web site don't need authentication.
3. One of the web server has two virtual host and these two virtual host must be accessible from internet.
After combine knowledge from multiple page , these are the lines that I added into the squid.conf .
auth_param basic program /usr/lib64/squid/squid_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -h ldap.example.com
auth_param basic children 30
auth_param basic realm Please authenticate yourself
auth_param basic credentialsttl 1 hours
acl sites1 dstdomain site1.example.com site2.example.com
acl sites2 dstdomain site3.example.com
acl sites3 dstdomain site4.example.com
acl ldapauth proxy_auth REQUIRED
http_access allow sites1 ldapauth
http_access allow sites2
http_access allow sites3
http_port 80 accel defaultsite=www.example.com vhost
cache_peer 10.1.1.1 parent 80 0 no-query originserver name=server1
cache_peer_domain server1 site1.example.com site2.example.com
cache_peer 10.1.1.2 parent 8080 0 no-query originserver name=server2
cache_peer_domain server2 site3.example.com
cache_peer 10.1.1.3 parent 80 0 no-query originserver name=server3
cache_peer_domain server3 site4.example.com
cache_peer_access server1 allow site1
cache_peer_access server1 deny all
cache_peer_access server2 allow site2
cache_peer_access server2 deny all
cache_peer_access server3 allow site3
cache_peer_access server3 deny all
Troubleshooting:
Ldap authentication not working or not success or fail to authenticate.
This line might be different , replace the squid_ldap_auth binary path with the correct one.
auth_param basic program /usr/lib64/squid/squid_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -h ldap.example.com
if the binary path is correct, execute the following command at the server console
/usr/lib64/squid/squid_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -h ldap.example.com
after execute , you will get a blank line , type your user name then a space follow by the password and press enter.
If you received a OK mean the authentication success , if not , you have to play around with the base dn , filter and even might consider add in parameter to bind first before perform search.
Execute squid_ldap_auth binary without any parameter will show available option.
For your information, I did this at a CentOS machine, if this is not working for your distribution, you might need to find another article.
Sorry for didn't explain the detail , if you need to know each line in detail , please refer to the following sites:
Reverse Proxy with Domain Based Virtual Host Support:
http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting
Reverse Proxy with Multiple Backend Web Servers:
http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers
Squid with Ldap authentication – Centos :
http://alouche.net/blog/2009/02/20/squid-with-ldap-authentication-centos-52/
---
I have 3 physical web server but I only have one public ip.
Here is my requirement.
1. All three web server have to listen at port 80 and must be able to access from internet.
2. Some web site need authentication and some web site don't need authentication.
3. One of the web server has two virtual host and these two virtual host must be accessible from internet.
After combine knowledge from multiple page , these are the lines that I added into the squid.conf .
auth_param basic program /usr/lib64/squid/squid_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -h ldap.example.com
auth_param basic children 30
auth_param basic realm Please authenticate yourself
auth_param basic credentialsttl 1 hours
acl sites1 dstdomain site1.example.com site2.example.com
acl sites2 dstdomain site3.example.com
acl sites3 dstdomain site4.example.com
acl ldapauth proxy_auth REQUIRED
http_access allow sites1 ldapauth
http_access allow sites2
http_access allow sites3
http_port 80 accel defaultsite=www.example.com vhost
cache_peer 10.1.1.1 parent 80 0 no-query originserver name=server1
cache_peer_domain server1 site1.example.com site2.example.com
cache_peer 10.1.1.2 parent 8080 0 no-query originserver name=server2
cache_peer_domain server2 site3.example.com
cache_peer 10.1.1.3 parent 80 0 no-query originserver name=server3
cache_peer_domain server3 site4.example.com
cache_peer_access server1 allow site1
cache_peer_access server1 deny all
cache_peer_access server2 allow site2
cache_peer_access server2 deny all
cache_peer_access server3 allow site3
cache_peer_access server3 deny all
Troubleshooting:
Ldap authentication not working or not success or fail to authenticate.
This line might be different , replace the squid_ldap_auth binary path with the correct one.
auth_param basic program /usr/lib64/squid/squid_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -h ldap.example.com
if the binary path is correct, execute the following command at the server console
/usr/lib64/squid/squid_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -h ldap.example.com
after execute , you will get a blank line , type your user name then a space follow by the password and press enter.
If you received a OK mean the authentication success , if not , you have to play around with the base dn , filter and even might consider add in parameter to bind first before perform search.
Execute squid_ldap_auth binary without any parameter will show available option.
For your information, I did this at a CentOS machine, if this is not working for your distribution, you might need to find another article.
Sorry for didn't explain the detail , if you need to know each line in detail , please refer to the following sites:
Reverse Proxy with Domain Based Virtual Host Support:
http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting
Reverse Proxy with Multiple Backend Web Servers:
http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers
Squid with Ldap authentication – Centos :
http://alouche.net/blog/2009/02/20/squid-with-ldap-authentication-centos-52/
---
Thank you so much for your nice tutorial.
ReplyDeleteRecently I setup a Reverse Proxy Server with Squid (server accelerator) and wrote a full detailed tutorial that you can find in:
http://cosmolinux.no-ip.org/raconetlinux/html/17-squid.html
where I explain how to configure Squid (version 3.x) as a reverse Proxy Server (server accelerator), providing examples about how to do it using two
computers (one as a Proxy server and another as a Web Server) or just by using one single computer.
I also describe how to format the Squid's logs and how to send the logs to a remote computer.
Also, you can find an explanation of how to deny access to certain files and how to get correct logs in Apache Web Server.
I wish it is useful to someone.
Thank a lot. It is a nice document.
Delete