Re: Squid...a firewall..and virtual hosts

Dear Martijn,

I recently developed the same concept here. First you need 1 squid
process per virtual webserver listening on a dedicated IP address in
accellerator mode. Then you have to reconfigure your webserver in a way
that it provides a listing of the defferent servers on one address (e.g.
make links of the different server roots into the main webserver root).
The accel squids now need a little script, the famous redirector, that
transforms the real URL to the translated URL for your inside webserver.

Sample configuration:

squid.conf:

acl psycho src 141.44.135.101/32
http_access deny psycho
http_port 80
icp_port 0
tcp_incoming_address 62.144.72.2
tcp_outgoing_address 62.144.72.2
httpd_accel 192.168.195.2 80
dns_testnames internic.net usc.edu cs.colorado.edu mit.edu yale.edu
cache_effective_user squid squid
cache_dir /accel/www.radiosaw.de/cache
cache_access_log /accel/www.radiosaw.de/logs/access.log
cache_log /accel/www.radiosaw.de/logs/cache.log
cache_store_log none
cache_swap 100
#redirect_program /accel/www.radiosaw.de/etc/redir.pl
dns_children 1
redirect_children 5
pid_filename /accel/www.radiosaw.de/etc/squid.pid
emulate_httpd_log on
cache_stoplist cgi-bin ?

redir.pl:
#!/usr/bin/perl

$|=1;
while(<>) {
        s@http://([^/]+)/(.*)@http://orion.tsa.de/saw/$2@;
        print;
}

As you can see, this sample squid plays the www.radiosaw.de webserver,
but redirects all request to a machine called orion.tsa.de in a
subdirectory /saw/. (The squid.conf shows current config with a private
adress for the webserver and the one that was befor this with the redir
program.

The best thing is to provide real adresses per inside webserver. This
doesnt require the famous redir script as the webserver-process listens
on one address per virtual webserver. As you have a firewall around your
webserver it should be easy to use private addresses.)

If you need some startup scripts I can provide them too. ;)

Martijn Spronk wrote:
>
> I have a question about the use of Squid to allow outside users to see
> websites inside the firewall.
>
> We have a setup where we have virtual sites hosted by a few machines,
> where the sites
> all have one IP address but are distinguished by the hostname (so the
> webserver has to
> get the actual hostrequest to figure out which site to server, pretty
> common i think).
> These sites are set up inside the firewall (set up on a linux machine).
> Now we want to
> add the Squid proxy to a machine outside the firewall, to be able to
> serve the secure sites
> to the inside world.
> So the way we want to enable the websites to be seen is:
> for example www.columbus-group.com points to the ip address of the
> proxy, the proxy
> will go through the firewall (which has a hole in there to enable only
> the proxy server to
> go through), and from there on to the correct machine inside the secure
> area.
> Our main concern is. Will the actual hostname of the URL request, be
> lost in the path
> through the firewall?? Cause in that case, if the proxy for example
> changes it to a request
> to the firewall, the virtual server wouldnt be able to distinquish the
> request (that seems to be coming
> from the firewall) between www.columbus-group.com and
> demo.columbus-group.com, cause they
> would both be translated to firewall.columbus-group.com by Squid?,
> since they are both hosted on the same machine with the same IP inside
> the firewall.
>
> Any thoughts about this setup, has anyone used Squid this way before and
>
> has any experience
> with it? Is it possible to set Squid up on the firewall itself, to save
> ourself a machines, and maybe even
> improve overall performance?

Its faster, it saves machines 'cause your webserver(machines) can
handler more requests.
Test with a whole class C network aliased on one interface do not show
any performance leaks. (I had half of the class C play the webserver and
half the accel squid, and a script thatf requently gets the whole
server. good hardware is the point ;) )

The setup here runs without inspection ~40 days now.

-- 
Daniel Schild
Dienst- und Applikationsentwicklung
Teleport Sachsen-Anhalt GmbH | RegioCom GmbH
Tel:    ++49 39203 8 3300    | ++49 39203 8 2030
Fax:    ++49 39203 8 3399    | ++49 39203 8 2031
E-Mail: schild@tsa.de        | schild@regiocom.net
S-Mail: Steinfeldstr. 3, 39179 Barleben, Germany