Squid Reverseproxy

Channel Version Revision Published Runs on
latest/stable 20 20 16 Sep 2021
Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/candidate 14 14 11 Nov 2020
Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
juju deploy squid-reverseproxy
Show information

Platform:

Ubuntu
20.04 18.04 16.04 14.04

Overview

Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects.

Squid version 3 is a major rewrite of Squid in C++ and introduces a number of new features including ICAP and ESI support.

http://www.squid-cache.org/

Usage

General

This charm provides squid in a reverse proxy setup.

http://en.wikipedia.org/wiki/Reverse_proxy

The most common scenario is to accelerate a web service: You run squid on your outside edge, forwarding queries to one or multiple internal web application servers.

The charm can be deployed in a single or multi-unit setup.

To deploy a single unit:

juju deploy squid-reverseproxy

To add more units:

juju add-unit squid-reverseproxy 

Example with apache:

juju deploy apache2
juju deploy squid-reverseproxy
juju add-relation apache2:website-cache squid-reverseproxy:cached-website

This will put squid in front of apache2.

Once deployed, you can ssh into the deployed service:

juju ssh <unit>

To list running units:

juju status

To start monitoring Squid using Nagios:

juju deploy nrpe-external-master
juju add-relation squid-reverseproxy nrpe-external-master

This charm requires the following relation settings from clients:

ip: service ip address
port: service port
sitenames: space-delimited list of virtual hosts to whitelist

The options that can be configured in config.yaml should be self-explanatory. If not, please file a bug against this charm.

HTTPS Reverse Proxying

Assuming you have a squid3 deb compiled with --enable-ssl, you can setup a single https reverse proxy.

An example of this would be:

juju set squid-reverseproxy enable_https=true ssl_key="$(base64 < /path/to/cert.key)" ssl_cert="$(base64 < /path/to/cert.crt)"

This should enable https access to the default website.

A current implementation limitation is that it doesn't support multiple https vhosts.

Monitoring

This charm provides relations that support monitoring via Nagios using nrpe_external_master as a subordinate charm.

Authentication Helpers

To set up user authentication to the proxy, you need an authentication helper, which you may need to supply yourself if none of the built-in helpers are suitable. You can do this by relating a subordinate charm providing the squid-auth-helper interface to this charm. Such a charm may publish relation data like this:

'auth-params': yaml.dump([
    {
        'scheme': 'basic',
        'program': '/path/to/auth/helper',
        'credentialsttl': '10 seconds',
        'casesensitive': 'on',
    }
])

This charm will turn that relation data into corresponding auth_param directives. You may need to use something like this as one of your auth_list items to cause Squid to require authentication:

{"!proxy_auth": [REQUIRED], http_access: deny}

If you do this, you should also set wait_for_auth_helper: true to cause this charm to wait for the auth-helper relation before starting Squid, as Squid will fail to start if it has a proxy_auth ACL without an authentication scheme being configured.

Caveats

The example above is just for reference. In order to make it usable, you will have to supply a proper virtual host configuration for apache2.