Configure Squid Proxy To Forward Package To A Parent Proxy


Squid is an Open Source Unix-based proxy server for the Web supporting HTTP, HTTPS, FTP, and more. It has extensions like web page caching to reduce bandwidth and improve response times. Squid is provided as free, open source software and can be used under the GNU General Public License.

Basically, Squid will act as an intermediary, passing the client’s request on to the destination (server). We are  going  to take  a  look  how to configure  proxy to  proxy  communication with  squid proxy.  We will create a test case that two proxy servers forward specific package over defined port between them. Not only one server will be parent proxy both of them will be act like parent.

So we got access from firewall side  from one  proxy  to another  one  for specific  port which we ‘ll use to  communicate  Proxies.  If you have  an application,  your  application can access  agents over  Proxies and also  agent can access  server to. Request  comes from agents  will be  forwarded  from  one proxy  to another .

Lets talk about  squid  configuration.First  of all  you need to install  squid proxy  package. I use  this  one which I added below.

For  application Server Package  Flow :

Application Server >> ProxyA >> ProxyB>>Agent

For  Client  Package  Flow :

Agent >> ProxyB >> ProxyA >> Application  Server

# rpm -qa|grep squid



squid-3.1.23-24.el6.x86_64

 

PROXY A configuration :

##This configurations come from default installation.

##Recommended minimum configuration

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1



# Define allowed network alias.

#localnet is just alias.

acl localnet src 192.168.0.0/16



#Define safe ports.

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 383 # This is port which agent and client used for our scenario.

acl Safe_ports port 443 # https



acl CONNECT method CONNECT



# Recommended minimum Access Permission configuration:

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager



# Deny requests to certain unsafe ports

http_access deny !Safe_ports



# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost



#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#



# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost



# And finally deny all other access to this proxy

http_access deny all



# Squid normally listens to port 3128.

http_port 3128



# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

#Define Parent PROXY with cache_peer

#192.168.199.137 is Other Proxy IP.

cache_peer 192.168.199.137 parent 3128 0 default

#Define rule which package should not forward.

#For our scenario 192.168.145.171 is Application Server IP.

#If a agent send package to Application server. Agent >> Proxy1 >> Proxy2 >> Server.

#If we dont define this rule. It will be a loop like this and package never get by Server.(Agent >> Proxy1 >>Proxy2 >>Proxy1

acl proxy2 src 192.168.145.171/32

never_direct allow proxy2

 

PROXY B Configuration :

##This configurations come from default installation.

##Recommended minimum configuration

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1



# Define allowed network alias.

#localnet is just alias.

acl localnet src 192.168.0.0/16



#Define safe ports.

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 383 # This is port which agent and client used for our scenario.

acl Safe_ports port 443 # https



acl CONNECT method CONNECT



# Recommended minimum Access Permission configuration:

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager



# Deny requests to certain unsafe ports

http_access deny !Safe_ports



# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost



#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#



# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost



# And finally deny all other access to this proxy

http_access deny all



# Squid normally listens to port 3128.

http_port 3128

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

#Define Parent PROXY with cache_peer

#192.168.167.134 is Other Proxy IP.

cache_peer 192.168.167.134 parent 3128 0 default

#Define rule which package should not forward.

#For our scenario 192.168.100.0/24 is Client Server's IP segment.

#If Application Server send package to Client server. Ap Server >> ProxyA >> ProxyB >> Client.

#If we dont define this rule. It will be a loop like this and package never get by Client. (AP Server >> ProxyA >>ProxyB >>ProxyA

acl proxy2 src 192.168.100.0/24

never_direct allow proxy2

 

Then you can restart squid proxy and  finished!
 

#service squid restart

 

Tagged In:

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Interbank Card Center Of Turkey(BKM). I provide hardware and software support for the IT Infrastructure and Operations tasks.

194 Total Posts
Follow Me

0 Comments

Leave a Reply