Reverse Proxy Server
Server Training - Proxy Server

Reverse Squid Proxy

This scenario is designed to accelerate access to the web server and provide a layer of defense for the web server that did not exist previously.  Please note that this information is for Squid 2.6 Stable, the configuration for Squid 2.5 is completely different.  The reverse proxy sits in front of your web server and receives the connection from the Internet when a user makes a request for the internal web server.  Because you can now set up the internal web server to only accept connections for HTTP and HTTPS as well as restrict those options you will provide greater protection for the client.

Reverse Proxy with Squid

Advantages of Reverse Proxy

There are several major advantages of a reverse proxy with squid.  The first advantage is that the proxy server will cache web pages and images on the proxy server so that the load is minimized for the internal server.  People who request the site will pull most of their information from the proxy not the web server itself.  The second advantage is security.  The reverse proxy will add an additional layer of security as hacking attempts will be focused on cached pages rather than the site itself.    This defense layer is not the ultimate answer but only provides an additional layer.  Another advantage is that the backend may be able to have multiple servers providing the full content of the page.  For example, you could build a web page that has images from multiple web servers and a database that is pulled from a separate server.  All of this will be transparent to the user.  Again, security is enhanced based on the fact that you can focus security on the proxy server to protect the internal servers.

Disadvantages of the Reverse Proxy

Of course on big disadvantage is that if your proxy server crashes nothing will work as it is all dependent upon the proxy server.  Another disadvantage is that if your reverse proxy is compromised you will be providing them with a comprehensive view of the internal network. The final disadvantage is that you may  see some issues with speed.  Speed must be weighed against the value of a cache, and how much time it takes the request to traverse several firewalls.  This issue may be trivial or may not be an issue at all.  Much of it depends on the resources and number of requests that your server receives.

Here are the lines that you need to add in order to get the reverse proxy to work.  A brief description details how those settings work and below those lines are an illustration of where they will be placed in the squid.conf file.

http_port 80  defaultsite=
cache_peer parent 80 0 no-query originserver
acl web dstdomain
http_access allow web

You need to set the port for the squid proxy.  This enables the user to connect to the web server in a way that they do not realize that a proxy is in front of the web server. 
http_port 80  defaultsite=

You are required to write an acl to allow access for the web server which is internal.  The acl can be called anything you like, here it is called “web” and the dstdomain then shows where “web” is on the network.  You must allow “web” down below.  Remember, order is critical and that is why the lines are illustrated with some references so you know where to place them.

# Squid normally listens to port 3128
http_port 80 defaultsite=
cache_peer parent 80 0 no-query originserver

acl localhost src
acl to_localhost dst
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl web dstdomain
acl purge method PURGE

The information below comes directly from the  squid.conf file.


# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
http_access allow web
http_access allow localhost