Squid is an Open Source Unix-based proxy server for the Web supporting HTTP, HTTPS, FTP, and more. It has extensions like web page caching to reduce bandwidth and improve response times. Squid is provided as free, open source software and can be used under the GNU General Public License.
Basically, Squid will act as an intermediary, passing the client’s request on to the destination (server). We are going to take a look how to configure proxy to proxy communication with squid proxy. We will create a test case that two proxy servers forward specific package over defined port between them. Not only one server will be parent proxy both of them will be act like parent.
So we got access from firewall side from one proxy to another one for specific port which we ‘ll use to communicate Proxies. If you have an application, your application can access agents over Proxies and also agent can access server to. Request comes from agents will be forwarded from one proxy to another .
Lets talk about squid configuration.First of all you need to install squid proxy package. I use this one which I added below.
For application Server Package Flow :
Application Server >> ProxyA >> ProxyB>>Agent
For Client Package Flow :
Agent >> ProxyB >> ProxyA >> Application Server
# rpm -qa|grep squid squid-3.1.23-24.el6.x86_64
PROXY A configuration :
##This configurations come from default installation. ##Recommended minimum configuration acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Define allowed network alias. #localnet is just alias. acl localnet src 192.168.0.0/16 #Define safe ports. acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 383 # This is port which agent and client used for our scenario. acl Safe_ports port 443 # https acl CONNECT method CONNECT # Recommended minimum Access Permission configuration: # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128. http_port 3128 # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Define Parent PROXY with cache_peer #192.168.199.137 is Other Proxy IP. cache_peer 192.168.199.137 parent 3128 0 default #Define rule which package should not forward. #For our scenario 192.168.145.171 is Application Server IP. #If a agent send package to Application server. Agent >> Proxy1 >> Proxy2 >> Server. #If we dont define this rule. It will be a loop like this and package never get by Server.(Agent >> Proxy1 >>Proxy2 >>Proxy1 acl proxy2 src 192.168.145.171/32 never_direct allow proxy2
PROXY B Configuration :
##This configurations come from default installation. ##Recommended minimum configuration acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Define allowed network alias. #localnet is just alias. acl localnet src 192.168.0.0/16 #Define safe ports. acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 383 # This is port which agent and client used for our scenario. acl Safe_ports port 443 # https acl CONNECT method CONNECT # Recommended minimum Access Permission configuration: # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128. http_port 3128 # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Define Parent PROXY with cache_peer #192.168.167.134 is Other Proxy IP. cache_peer 192.168.167.134 parent 3128 0 default #Define rule which package should not forward. #For our scenario 192.168.100.0/24 is Client Server's IP segment. #If Application Server send package to Client server. Ap Server >> ProxyA >> ProxyB >> Client. #If we dont define this rule. It will be a loop like this and package never get by Client. (AP Server >> ProxyA >>ProxyB >>ProxyA acl proxy2 src 192.168.100.0/24 never_direct allow proxy2
Then you can restart squid proxy and finished!
#service squid restart
