Reverse Proxy Settings
2017/12/19 |
Configure Squid as a Reverse Proxy Server.
|
|
[1] | Create self-signed Certificates first. If you use official Certificates, it's not necessary to create self-signed one. |
[root@www ~]# cd /etc/pki/tls/certs [root@www certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/squid.pem -out /etc/pki/tls/certs/squid.pem
Generating a 2048 bit RSA private key
[root@www certs]# ......++++++ .......++++++ writing new private key to '/etc/pki/tls/certs/squid.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: JP # country State or Province Name (full name) [Some-State]: Hiroshima # state Locality Name (eg, city) []: Hiroshima # city Organization Name (eg, company) [Internet Widgits Pty Ltd]: GTS # company Organizational Unit Name (eg, section) []: Server World # department Common Name (eg, YOUR name) []: www.srv.world # server's FQDN Email Address []: xxx@srv.world # admin email
chmod 400 squid.pem |
[2] | Configure Squid. If you use official Certificates, replace [cert=*** key=***] to your own one. If you use the Certs from Let's Encrypt, specify [fullchain.pem] for both [cert=*** key=***]. |
[root@prox ~]#
vi /etc/squid/squid.conf # line 57: add (allow all http access) http_access allow all # And finally deny all other access to this proxy http_access deny all # line 63: specify the backend Web server # http_port 3128
http_port 80 accel defaultsite=www.srv.world
https_port 443 accel defaultsite=www.srv.world cert=/etc/pki/tls/certs/squid.pem key=/etc/pki/tls/certs/squid.pem # line 66: uncommnet # number means ⇒ [disk cache size] [number of directories on top level] [number of directories on 2nd level] cache_dir ufs /var/spool/squid 100 16 256 # add to the end cache_peer www.srv.world parent 80 0 no-query originserver
# memory cache size cache_mem 256 MB
# define hostname visible_hostname prox.srv.world
systemctl start squid [root@prox ~]# systemctl enable squid |
[3] | If Firewalld is running, allow HTTP service. |
[root@dlp ~]# firewall-cmd --add-service={http,https} --permanent success [root@dlp ~]# firewall-cmd --reload success |
[4] | Change settings of DNS or Routers in your LAN if need to listen HTTPS access on Squid, then try to access to Squid Reverse Proxy Server from a ClientPC with Web browser like follows. |