ssl squid reverseproxy #1

Supports: trusty
Add to new model

Description

Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Squid version 3 is a major rewrite of Squid in C++ and introduces a number of new features including ICAP and ESI support.
Requires the following relation settings from consuming services:

url: The full URL for squid to provide to the Internet.
proxy_target: The url for the back-end service being proxied.

Although squid can be configured as a traditional forward proxy, this charm supports only a reverse proxy configuration.


Overview

Squid is a high-performance proxy caching server for web clients,
supporting FTP, gopher, and HTTP data objects.

Squid version 3 is a major rewrite of Squid in C++
and introduces a number of new features
including ICAP and ESI support.

http://www.squid-cache.org/

Usage

General

This charm provides squid in a reverse proxy setup.

http://en.wikipedia.org/wiki/Reverse_proxy

The most common scenario is to accelerate a web service:
You run squid on your outside edge,
forwarding queries to one or multiple internal web application servers.

The charm can be deployed in a single or multi-unit setup.

To deploy a single unit:

juju deploy squid-reverseproxy

To add more units:

juju add-unit squid-reverseproxy

Example with apache:

juju deploy apache2
juju deploy squid-reverseproxy
juju add-relation apache2:website squid-reverseproxy:website

This will put squid in front of apache2.

To start monitoring Squid using Nagios:

juju deploy nrpe-external-master
juju add-relation squid-reverseproxy nrpe-external-master

This charm requires the following relation settings from clients:

ip: service ip address
port: service port
sitenames: space-delimited list of virtual hosts to whitelist

The options that can be configured in config.yaml should be self-explanatory.
If not, please file a bug against this charm.

HTTPS Reverse Proxying

Due to a licence dispute,
it is not possible to use HTTPS in squid with the package
that is in the Ubuntu archives.
Your choices are either to build and maintain squid packages
with openssl compiled in,
or to use a terminating HTTPS server subordinate.

This charm supports the webservice relation,
so to connect with an Apache subordinate:

juju deploy apache2-subordinate
juju add-relation squid-reverseproxy:webservice apache2-subordinate:webservice

Note that the website relation,
used for the reverse proxying itself,
is also supported by both charms.
Thus it is necessary to specify the webservice relation
when deploying the subordinate.

If you have custom squid packages for HTTPS

Assuming you have a squid3 deb compiled with --enable-ssl,
you can set up a single HTTPS reverse proxy.

An example of this would be:

juju set squid-reverseproxy enable_https=true ssl_key="$(base64 < /path/to/cert.key)" ssl_cert="$(base64 < /path/to/cert.crt)"

This should enable HTTPS access to the default website.

A current implementation limitation
is that it doesn't support multiple https vhosts.

Monitoring

This charm provides relations that support monitoring via Nagios
using nrpe_external_master as a subordinate charm.

Caveats

The example above is just for reference.
You will need to configure any charms behind squid-reverseproxy
to support the website relation successfully.


Configuration

avg_obj_size_kb
(int) Estimated average size of a cached object.
16
cache_dir
(string) The top-level directory where cache swap files will be stored.
/var/spool/squid3
cache_l1
(int) Number of first-level directories for disk cache
16
cache_l2
(int) Number of second-level directories for disk cache
256
cache_mem_mb
(int) Maximum size of in-memory object cache (MB). Should be smaller than cache_size_mb. Set to zero to disable caching completely.
256
cache_size_mb
(int) Maximum size of the on-disk object cache (MB). Set to zero to disable disk caching.
512
connect_timeout_in_seconds
(int) This parameter specifies how long to wait for the TCP connect to the requested server or peer to complete before Squid should attempt to find another path where to forward the request.
60
enable_forward_proxy
(boolean) Enables forward proxying
enable_https
(boolean) Enable https access for squid, requires a squid compiled with --enable-ssl, certificate and private key
extra_packages
(string) List of the apt packages to install
squid
https_options
(string) Options for https port
accel vhost
https_port
(int) Squid https listening port
443
log_format
(string) Format of the squid log.
%>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
max_obj_size_kb
(int) Maximum size of an object to be cached (KB).
8192
metrics
(string) List of SNMP metrics to be exported. Names should match Squid's SNMP names at http://wiki.squid-cache.org/Features/Snmp#Squid_OIDs. By default, this charm uses the 5min sampling when averages are used and specifies the .5 measurements explicitly. If you want to use 1m or 60m timings, you should be explicit (.1/.60, and probably change the cron job frequency. Warning: any metric starting with 'cachePeer...' will produce 1 metric per configured peer, so can increase the number of metrics rapidly if you have lots of peers.
cacheCpuUsage cacheCurrentSwapSize cacheDnsSvcTime.5 cacheHttpErrors cacheHttpAllSvcTime.5 cacheHttpHitSvcTime.5 cacheHttpMissSvcTime.5 cacheHttpNhSvcTime.5 cacheHttpNmSvcTime.5 cacheHttpInKb cacheHttpOutKb cacheMaxResSize cacheMemMaxSize cacheMemUsage cacheNumObjCount cachePeerRtt cacheRequestByteRatio.5 cacheRequestHitRatio.5 cacheSwapHighWM cacheSwapLowWM cacheSwapMaxSize cacheSysNumReads cacheSysPageFaults cacheSysStorage cacheSysVMsize
metrics_sample_interval
(int) Period for metrics cron job to run in minutes
5
metrics_scheme
(string) Naming scheme for metrics. Special values $UNIT and $METRIC can be used for more complex schemes, e.g. for suffixes for graphite processing .
dev.$UNIT.squid.$METRIC
metrics_target
(string) Destination for metrics, format "host:port". If not present and valid, metrics disabled.
nagios_check_http_params
(string) The parameters to pass to the nrpe plugin check_http. String will be formatted with config data
nagios_check_https_params
(string) The parameters to pass to the nrpe plugin check_http. String will be formatted with config data
nagios_context
(string) Used by the nrpe-external-master subordinate charm. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-squid-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
juju
nagios_service_type
(string) What service this component forms part of, e.g. supermassive-squid-cluster. Used by nrpe.
generic
package_status
(string) The status of service-affecting packages will be set to this value in the dpkg database. Useful valid values are "install" and "hold".
install
port
(int) Squid listening port.
3128
port_options
(string) Squid listening port options
accel vhost
redirect_to_https
(boolean) activate redirections of http traffic to https
refresh_patterns
(string) JSON- or YAML-formatted list of refresh patterns. For example: '{"http://www.ubuntu.com": {"min": 0, "percent": 20, "max": 60}, "http://www.canonical.com": {"min": 0, "percent": 20, "max": 120}}'
services
(string) Services definition(s). Although the variable type is a string, this is interpreted by the charm as yaml. To use multiple services within the same instance, specify all of the variables (service_name, service_host, service_port) with a "-" before the first variable, service_name, as below. - service_name: example_proxy service_domain: example.com servers: - [foo.internal, 80] - [bar.internal, 80]
snmp_allowed_ips
(string) Single, or json-formatted list of, IP (with optional subnet mask) allowed to query SNMP.
snmp_community
(string) SNMP community string for monitoring the service. Required for metrics to be enabled.
snmp_port
(int) Port for snmp service
3401
ssl_cert
(string) Base64 encoded ssl cert file
ssl_certfile
(string) File path to ssl cert file inside deployed units
/etc/squid3/ssl/cert.crt
ssl_key
(string) Base64 encoded ssl key file
ssl_keyfile
(string) File path to ssl key file inside deployed units
/etc/squid3/ssl/cert.key
target_objs_per_dir
(int) Target number of objects to store in L2 directories.
400
via
(string) Add 'Via' header to outgoing requests.
on
x_balancer_name_allowed
(boolean) Route based on X-Balancer-Name header set by Apache charm.