How to set up a reverse proxy using squid for a simplified scenario?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

How to set up a reverse proxy using squid for a simplified scenario?

Peng Yu
Hi,

I see the following blog about setting up a reverse proxy using squid.

http://derpturkey.com/squid-as-a-reverse-proxy/

But there seem to be more configurations than what I need.

For example, for the following line, I don't need to restrict the
access to a specific domain.
http_port 80 accel defaultsite=www.example.com

Instead, any access to the IP of the reverse proxy should be OK. In
this sense, should I just use the following?

http_port 80 accel

Also, let's say I have two web servers server1 and server2 to be
proxied. Since I don't use a domain, I am not sure how Step 3 should
be adjusted.

I also do not want any restrictions to my reverse proxy. But I am not
sure how Step 4 should be simplified.

Could anybody please let me know how to configure squid reverse proxy
in my simplified scenario?

--
Regards,
Peng
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to set up a reverse proxy using squid for a simplified scenario?

Amos Jeffries
Administrator
On 11/02/18 06:33, Peng Yu wrote:

> Hi,
>
> I see the following blog about setting up a reverse proxy using squid.
>
> http://derpturkey.com/squid-as-a-reverse-proxy/
>
> But there seem to be more configurations than what I need.
>
> For example, for the following line, I don't need to restrict the
> access to a specific domain.
> http_port 80 accel defaultsite=www.example.com

The above does not *restrict*. It sets a default value for Squid to use
when the Host header is missing from HTTP requests.


>
> Instead, any access to the IP of the reverse proxy should be OK. In
> this sense, should I just use the following?
>
> http_port 80 accel

You can if you want to. But be aware that any clients which omit the
Host header in their requests will be rejected by the proxy with an
error page.


>
> Also, let's say I have two web servers server1 and server2 to be
> proxied. Since I don't use a domain, I am not sure how Step 3 should
> be adjusted.

By using other types of ACLs in an arrangement which meets your desired
mapping.

Please read the FAQ about how ACLs work. That includes a list of
different ACLs.
<http://wiki.squid-cache.org/SquidFaq/SquidAcl>


So far as you have stated that would be "cache_peer ... allow all".

Which is a very bad idea...

Be aware that the domain based config is itself a security layer to
prevent attackers and certain type of DoS reaching through the proxy to
attack the peers directly with bogus traffic. Using other types of ACLs,
particularly ones leading to "no restriction" like you describe make
your proxy and the origins all at risk for denial of service attacks.


What is your reason for wanting "no restrictions"?
 it could be that you actually need something very different to what you
are asking about.


>
> I also do not want any restrictions to my reverse proxy. But I am not
> sure how Step 4 should be simplified.
>
> Could anybody please let me know how to configure squid reverse proxy
> in my simplified scenario?

That tutorial is describing the simplest scenario possible with a
multiple peers in a reverse-proxy.

Yours is actually the more complicated scenario since you apparently
need some unusual ACL configuration.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to set up a reverse proxy using squid for a simplified scenario?

Peng Yu
> What is your reason for wanting "no restrictions"?

The proxied servers are behind a firewall already, which protect them
from any unwanted access. Is this reason strong enough to have no
restrictions set?

--
Regards,
Peng
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to set up a reverse proxy using squid for a simplified scenario?

Yuri Voinov
No. This reason is obviously not strong enough. As by as requirement
configure firewalls also on servers - whenever they placed. Security in
depth - did you hear this term?


11.02.2018 02:26, Peng Yu пишет:
>> What is your reason for wanting "no restrictions"?
> The proxied servers are behind a firewall already, which protect them
> from any unwanted access. Is this reason strong enough to have no
> restrictions set?
>

--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to set up a reverse proxy using squid for a simplified scenario?

Yuri Voinov
Ah. My bad. Correctly Defence in depth:

https://en.wikipedia.org/wiki/Defense_in_depth_(computing)


11.02.2018 02:29, Yuri пишет:

> No. This reason is obviously not strong enough. As by as requirement
> configure firewalls also on servers - whenever they placed. Security in
> depth - did you hear this term?
>
>
> 11.02.2018 02:26, Peng Yu пишет:
>>> What is your reason for wanting "no restrictions"?
>> The proxied servers are behind a firewall already, which protect them
>> from any unwanted access. Is this reason strong enough to have no
>> restrictions set?
>>
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to set up a reverse proxy using squid for a simplified scenario?

Amos Jeffries
Administrator
On 11/02/18 09:39, Yuri wrote:

> Ah. My bad. Correctly Defence in depth:
>
> https://en.wikipedia.org/wiki/Defense_in_depth_(computing)
>
>
> 11.02.2018 02:29, Yuri пишет:
>> No. This reason is obviously not strong enough. As by as requirement
>> configure firewalls also on servers - whenever they placed. Security in
>> depth - did you hear this term?
>>
>>
>> 11.02.2018 02:26, Peng Yu пишет:
>>>> What is your reason for wanting "no restrictions"?
>>> The proxied servers are behind a firewall already, which protect them
>>> from any unwanted access. Is this reason strong enough to have no
>>> restrictions set?
>>>
>

Indeed as Yuri said. Firewall rules are not enough.

The proxy is making connections from *inside* the network. A firewall at
the network edge cannot prevent, nor even see these.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to set up a reverse proxy using squid for a simplified scenario?

Peng Yu
In reply to this post by Amos Jeffries
It is still not difficult to completely comprehend the squid document
to see how to modify the example at derpturkey.com for my following
scenario.

I have a bunch of forward proxy servers whose IPs are ip1 and ip2,
..., ip_n (using port 3128). The reverse proxy will use the
round-robin policy to forward each incoming request to one of these
forward proxies.

Do you mind giving me a minimal working configuration for my scenario?
Working means that the configure must be used directly without
modification (except domain names or IP addresses). Minimal means that
anything not relevant to my scenario should not be included in the
configuration.

BTW, to make sure make sure my understanding of forward proxy is
correct, could you confirm whether the proxies here are forward
proxies?

https://free-proxy-list.net/

On Sat, Feb 10, 2018 at 12:09 PM, Amos Jeffries <[hidden email]> wrote:

> On 11/02/18 06:33, Peng Yu wrote:
>> Hi,
>>
>> I see the following blog about setting up a reverse proxy using squid.
>>
>> http://derpturkey.com/squid-as-a-reverse-proxy/
>>
>> But there seem to be more configurations than what I need.
>>
>> For example, for the following line, I don't need to restrict the
>> access to a specific domain.
>> http_port 80 accel defaultsite=www.example.com
>
> The above does not *restrict*. It sets a default value for Squid to use
> when the Host header is missing from HTTP requests.
>
>
>>
>> Instead, any access to the IP of the reverse proxy should be OK. In
>> this sense, should I just use the following?
>>
>> http_port 80 accel
>
> You can if you want to. But be aware that any clients which omit the
> Host header in their requests will be rejected by the proxy with an
> error page.
>
>
>>
>> Also, let's say I have two web servers server1 and server2 to be
>> proxied. Since I don't use a domain, I am not sure how Step 3 should
>> be adjusted.
>
> By using other types of ACLs in an arrangement which meets your desired
> mapping.
>
> Please read the FAQ about how ACLs work. That includes a list of
> different ACLs.
> <http://wiki.squid-cache.org/SquidFaq/SquidAcl>
>
>
> So far as you have stated that would be "cache_peer ... allow all".
>
> Which is a very bad idea...
>
> Be aware that the domain based config is itself a security layer to
> prevent attackers and certain type of DoS reaching through the proxy to
> attack the peers directly with bogus traffic. Using other types of ACLs,
> particularly ones leading to "no restriction" like you describe make
> your proxy and the origins all at risk for denial of service attacks.
>
>
> What is your reason for wanting "no restrictions"?
>  it could be that you actually need something very different to what you
> are asking about.
>
>
>>
>> I also do not want any restrictions to my reverse proxy. But I am not
>> sure how Step 4 should be simplified.
>>
>> Could anybody please let me know how to configure squid reverse proxy
>> in my simplified scenario?
>
> That tutorial is describing the simplest scenario possible with a
> multiple peers in a reverse-proxy.
>
> Yours is actually the more complicated scenario since you apparently
> need some unusual ACL configuration.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users



--
Regards,
Peng
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to set up a reverse proxy using squid for a simplified scenario?

Amos Jeffries
Administrator
On 13/02/18 00:40, Peng Yu wrote:
> It is still not difficult to completely comprehend the squid document
> to see how to modify the example at derpturkey.com for my following
> scenario.
>
> I have a bunch of forward proxy servers whose IPs are ip1 and ip2,
> ..., ip_n (using port 3128). The reverse proxy will use the
> round-robin policy to forward each incoming request to one of these
> forward proxies.

Simply add "round-robin" option to the cache_peer lines in the
derpturkey example step #2. Otherwise do exactly as it says to do.



>
> Do you mind giving me a minimal working configuration for my scenario?

You already have that in the derpturkey page.


> Working means that the configure must be used directly without
> modification (except domain names or IP addresses). Minimal means that
> anything not relevant to my scenario should not be included in the
> configuration.
>
> BTW, to make sure make sure my understanding of forward proxy is
> correct, could you confirm whether the proxies here are forward
> proxies?

A forward-proxy is an HTTP proxy receiving absolute-form URLs
(<https://tools.ietf.org/html/rfc7230#section-5.3.2>) directly from clients.

A reverse-proxy is an HTTP proxy acting as surrogate for an origin
server and thus receiving origin-form URLs
(<https://tools.ietf.org/html/rfc7230#section-5.3.1>) from clients.


>
> <elided>

A quick check of recent additions to that list shows a bunch of Apache
servers relaying traffic arbitrarily on port 80, and some Sophos AV
software running on personal computers, and some Cloud servers relayign
arbitrary traffic, and some misconfigured reverse-proxies, and some
forward-proxies, and some SOCKS proxies, and some TLS proxies, and some
broken student projects for writing proxies.

There is very much a mix of software types. It has all the appearance of
a malware bot net being sold for illegal uses. I hope you are not trying
to do such things.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users