HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=4)
-   -   Transparent reverse squid proxy (http://www.howtoforge.com/forums/showthread.php?t=35315)

d31373 21st May 2009 22:17

Transparent reverse squid proxy
 
I believe that's what it would be called...Transparent Reverse Squid Proxy

My company has only 1 external IP address to use.
Our internal network topology is:
1 x Cisco 831 Router
1 x Cisco 3750 24port Switch
2 x Physical CentOS 5.3 x64 Linux Servers running VMware 2.0
1 x Physical CemtOS 5.3 i386 Linux Server running Asterisk
1 x Virtual Windows Server 2003 x64 Standard with Exchange server 2007
1 x Virtual Windows Server 2008 x64 Standard
1 x Virtual Windows Server 2003 Standard
1 x Virtual Windows XP Professional
3 x Virtual appliances for network monitoring, etc.

Obviously you would imaging, that accessing web interfaces of 6 servers has been quite challenging. I would like to setup a Squid Proxy in a VM to receive traffic for multiple ports.

The ports are 80, 443, 8222, 8333, 10000 to name a few.

Constraints:
I will be using CentOS 5.3 x64 and would like to know if anyone would be able to assist in configuring this. The only way to access the web interfaces would be through NATting the ports to the Squid Proxy.
Thus our Router IP is 10.10.10.254, the Squid Proxy is 10.10.10.253, our Windows servers are in 1-29 range, and Linux servers are in the range 30-59.

Preliminary Thoughts are:
How would I configure Squid to accept multiple ports?
How do I use squid to retreive the LAN based web interface and forward it out the Router without configuring Squid to be the gateway device?

Thank you everyone for your considerations, and I am sorry if it appears that I do not know what I am doing. This will be my first Squid Proxy setup. I have used Linux for over 10 years, but with varying software, and the fact that most of my customers use Windows, causes me to lack some experience. Additionally I would like to use this as a learning experience in squid, proxying, and iptables.

stefanos 22nd May 2009 17:36

Hi d31373,

I had a similar question and ended up going with a simple approach and doing it with apache's reverse proxy as a front end machine.

I am guessing you could configure apache to listen on Port 80 & 8222 {vmware} and proxy to the server you want based on the header host.

for https (443 & 8333) it's a bit more tricky as you need to read the headers.

As for other traffic say ssh pop3 etc.. I don't think you can go through a proxy server it's just for http/https traffic and you will need to NAT to the server. i.e. port 25 would NAT to server A
pop3 would NAT to server B etc..

But I am not sure. If you find out how to do it please let me know.

Stephen

d31373 22nd May 2009 18:12

I think you nailed it right on the head. I ONLY want to forward http/https traffic.
HTTP ports 80, 8088, 8222; HTTPS ports 443, 8333, 10000.

it is only an issue of accessing the web interfaces of the servers inside of the network withour mapping external port 81 to port 80 on one server, external port 82 to port 80 and another server, etc.

smtp = forwards to Exchange Server 2007
rdp = forwards to Windows Server 2003
vnc = forwards to vm1
ssh = forwards to the proxy server, then establish ssh to other servers

Do you have any idea how/where to begin? What should I research first? I have no problem doing footwork to get this completed, perhaps someone else with more know-how can help lay the foundation. Are there any linux distributions targeted specifically at tackling this particular issue? Something, I can use to base my experience (possibly implement temporarily)?

stefanos 22nd May 2009 19:25

Well I did it like this...{just got this from my history file}..

apt-get install apache2
a2enmod proxy
a2enmod proxy_http
/etc/init.d/apache2 force-reload

a2enmod proxy_connect
a2enmod ssl
/etc/init.d/apache2 force-reload

###Create vhost file in /etc/apache2/sites-available/domain.com.vhost as follows

<VirtualHost *:80>
ServerName www.domain.com

ProxyRequests Off

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass / http://www.domain.com/
ProxyPassReverse / http://www.domain.com/
</VirtualHost>

a2ensite domain.com.vhost
/etc/init.d/apache2 reload


I think you will also need to add into /etc/apache2/ports.conf to listen on the ports you want.

My HTTP works fine I have not tried with https yet.

So I will pass on where I got all my info from:
http://www.howtoforge.com/apache_rev...roxy_ispconfig
http://www.apachetutor.org/admin/reverseproxies
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Hope this helps.
Stephen

d31373 22nd May 2009 19:32

THANK YOU! I will begin working on implementing, any additional info would be greatly appreciated, hopefully I will have something up by mid next week.

stefanos 22nd November 2009 20:44

This is just to add some addition info I found that might be of help for anyone reading this post: it's about logging behind a proxy server. It has some problems as X-Forwarded-For can have multiple ip addresses. If anyone knows how to solve this I would be grateful.

I do my logging this way as opposed to apache's suggestion just to change the %h because I was unsure what would happen to my logs if the X-Forwarded-For was not set (eg if a local request was made from/to the server say via a cgi script).

Code:

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%v:%p %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" log_x_forward_for

SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" is-forwarder

CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined env=!is-forwarder
CustomLog /var/log/apache2/other_vhosts_access.log log_x_forward_for env=is-forwarder

hope it help
Stephen


All times are GMT +2. The time now is 00:53.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.