« Failed Keyboard Logging… | Main | Adding SSL support to Squid package on Ubuntu »
Installing Squid to handle both 80 and 443
By Matt | May 26, 2009
This outlines configuring Squid, running two instances, to handle both port 80 and 443 traffic on an Amazon EC2 instance running Ubuntu Jaunty. We can bypass Squid by going directly to Lighttpd on port 8080.
To answer a couple questions off the top, you should also read my post on how to configure http –> https redirects at the Squid level since the web server won’t be able to handle that in this configuration, and this post documents a little bit of magic that needs to be done to support 8080 with virtual hosts.
In configuring our new servers, the choice of Squid was pretty easy — it can handle SSL traffic, Varnish can’t by itself. We already use Squid to do ssl traffic on some of our physical servers being replaced, so I’d like to continue using that feature. In a future post, we’ll talk about configuring Squid to use a Universal Certificate that can handle multiple domains on one IP (it looks doable in theory, but I haven’t purchased that yet).
Normally installation is a simple
apt-get install squid
to install Squid. However, Ubuntu doesn’t package OpenSSL with Squid and for license reasons has no intention of doing so. So you’re better off following these directions and modifying a package to include ssl support, then installing that.
Modify /etc/squid/squid.conf
This is the port 80 traffic. Note — we actually had a large number of “acl valid_dst dstdomain,” which block attempts to use Squid as a pass-thru proxy at the proxy level instead of having the webserver reject the traffic.
http_port 80 accel vhost
cache_peer 127.0.0.1 parent 8080 0 no-query originserver login=PASS
logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S +0500}tl] “%rm %ru HTTP/%rv” %Hs %h” “%{User-Agent}>h” %Ss:%Shaccess_log /var/log/squid/access.log combined
acl SSL_ports port 8080
acl Safe_ports port 8080
acl valid_dst dstdomain .somedomain.com
http_access allow valid_dst
Copy squid.conf to squid_ssl.conf, comment out http_port and make the following changes:
https_port 443 accel vhost cert=/(cert location) key=/(key location)
cache_log /var/log/squid3/cache_ssl.log
cache_store_log /var/log/squid3/store_ssl.log
We have seperate cache and store logs for troubleshooting, but both configurations use access.log to record traffic. This simplifies using AWStats to analyze the logs; if we run into performance problems in the future we may need a tool like logmerge.pl to consolidate seperate access logs. While I can think of a few things that could go wrong, I don’t know they will go wrong till we try, so let’s see if the simple way works first.
Now, let’s configure and initialize a seperate spool for ssl traffic:
mkdir /var/spool/squid3_ssl
chown -R proxy:proxy /var/spool/squid3_ssl/
squid3 -z -f /etc/squid3/squid_ssl.conf
Copy /etc/init.d/squid3 to /etc/init.d/squid3_ssl and make the following changes:
NAME=squid3_ssl
SQUID_ARGS=”-D -YC -f /etc/squid3/squid_ssl.conf”
CONFIG=/etc/squid3/squid_ssl.conf
$DAEMON -z -f $CONFIG
And do a ln -s /etc/init.d/squid3_ssl /etc/rc2.d/S30squid3_ssl to make it start automatically.
Topics: Linux, Web Hosting Tools | No Comments »
Comments
You must be logged in to post a comment.