Squid Reverseproxy

juju deploy squid-reverseproxy
Show information
You will need Juju 2.9 to be able to run this command. Learn how to upgrade to Juju 2.9.
Channel Version Revision Published Runs on
latest/stable 20 20 16 Sep 2021
Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/candidate 14 14 11 Nov 2020
Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04

Platform:

Ubuntu
18.04 20.04 16.04 14.04

About

Full featured Web Proxy cache (HTTP proxy) Read more


Relevant links


Discuss this charm

Share your thoughts on this charm with the community on discourse.

Join the discussion

Overview

Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects.

Squid version 3 is a major rewrite of Squid in C++ and introduces a number of new features including ICAP and ESI support.

http://www.squid-cache.org/

Usage

General

This charm provides squid in a reverse proxy setup.

http://en.wikipedia.org/wiki/Reverse_proxy

The most common scenario is to accelerate a web service: You run squid on your outside edge, forwarding queries to one or multiple internal web application servers.

The charm can be deployed in a single or multi-unit setup.

To deploy a single unit:

juju deploy squid-reverseproxy

To add more units:

juju add-unit squid-reverseproxy 

Example with apache:

juju deploy apache2
juju deploy squid-reverseproxy
juju add-relation apache2:website-cache squid-reverseproxy:cached-website

This will put squid in front of apache2.

Once deployed, you can ssh into the deployed service:

juju ssh <unit>

To list running units:

juju status

To start monitoring Squid using Nagios:

juju deploy nrpe-external-master
juju add-relation squid-reverseproxy nrpe-external-master

This charm requires the following relation settings from clients:

ip: service ip address
port: service port
sitenames: space-delimited list of virtual hosts to whitelist

The options that can be configured in config.yaml should be self-explanatory. If not, please file a bug against this charm.

HTTPS Reverse Proxying

Assuming you have a squid3 deb compiled with --enable-ssl, you can setup a single https reverse proxy.

An example of this would be:

juju set squid-reverseproxy enable_https=true ssl_key="$(base64 < /path/to/cert.key)" ssl_cert="$(base64 < /path/to/cert.crt)"

This should enable https access to the default website.

A current implementation limitation is that it doesn't support multiple https vhosts.

Monitoring

This charm provides relations that support monitoring via Nagios using nrpe_external_master as a subordinate charm.

Authentication Helpers

To set up user authentication to the proxy, you need an authentication helper, which you may need to supply yourself if none of the built-in helpers are suitable. You can do this by relating a subordinate charm providing the squid-auth-helper interface to this charm. Such a charm may publish relation data like this:

'auth-params': yaml.dump([
    {
        'scheme': 'basic',
        'program': '/path/to/auth/helper',
        'credentialsttl': '10 seconds',
        'casesensitive': 'on',
    }
])

This charm will turn that relation data into corresponding auth_param directives. You may need to use something like this as one of your auth_list items to cause Squid to require authentication:

{"!proxy_auth": [REQUIRED], http_access: deny}

If you do this, you should also set wait_for_auth_helper: true to cause this charm to wait for the auth-helper relation before starting Squid, as Squid will fail to start if it has a proxy_auth ACL without an authentication scheme being configured.

Caveats

The example above is just for reference. In order to make it usable, you will have to supply a proper virtual host configuration for apache2.