reverse proxy

y

These instructions are in need of freshening for current Pressflow releases. There is no longer a LOGGED_IN cookie. Now, only authenticated users (and certain types of interactive anonymous users) should have a session cookies.

Configuring Pressflow to work with your reverse proxy servers

  1. Edit settings.php.
  2. Add the following to your $conf array, keeping any other settings there:
    settings.php (excerpt)
    $conf = array(
        'reverse_proxy' => TRUE,
        'reverse_proxy_addresses' => array(
          '10.0.0.1', // Reverse proxy host A
          '10.0.0.2', // Reverse proxy host B
          '10.0.0.3', // Reverse proxy host C
          [...]
        ),
      );
    
  3. Configure the "reverse_proxy_addresses" array to contain the IP addresses of your reverse proxy servers. This will allow Pressflow to only accept genuine "X-Forwarded-For" headers from your reverse proxy server(s).
  4. Enable Drupal's page cache in admin/settings/performance as follows:
    1. Set the Caching Mode to External.
    2. Set the Page Cache Maximum Age to an appropriate value (anything over 0).
  5. Test your configuration:
    1. Sign out.
    2. Install the Live HTTP Headers extension for Firefox and start viewing headers.
    3. Sign in, and look for the "LOGGED_IN" cookie being received in your HTTP headers.
    4. Click on another page, and check that the "LOGGED_IN" is being sent.
    5. Sign out, and look for the "LOGGED_IN" cookie being received with an expired date in your HTTP headers.
    6. Click on another page, and check that the "LOGGED_IN" is not being sent.

Configuring Squid to observe Pressflow's authentication headers

  1. Install the basic configuration below.
    • For Squid 3.0 on Ubuntu 8.04:
      /etx/squid3/squid.conf
      # Basic parameters
      visible_hostname www1.causecast.org
      # This line indicates the server we will be proxying for
      http_port 80 accel defaultsite=causecast.org
      # And the IP Address for it
      cache_peer 127.0.0.1 parent 8080 0 no-query originserver
      # Memory and cache files
      cache_dir ufs /var/spool/squid3 10000 16 256
      cache_mem 256 MB
      maximum_object_size_in_memory 32 KB
      # Basic ACLs
      acl manager proto cache_object
      acl localhost src 127.0.0.1/255.255.255.255
      acl to_localhost dst 127.0.0.0/8
      acl Safe_ports port 80
      acl purge method PURGE
      acl CONNECT method CONNECT
      http_access allow manager localhost
      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !Safe_ports
      http_access allow localhost
      http_access allow all
      http_access deny all
      http_reply_access allow all
      icp_access allow all
      cache_effective_group proxy
      coredump_dir /var/spool/squid
      emulate_httpd_log on
      redirect_rewrites_host_header off
      buffered_logs on
      # Observe Pressflow authentication headers
      #acl cookie_logged_in_set rep_header Set-Cookie LOGGED_IN=Y
      #cache deny cookie_logged_in_set
      #acl cookie_logged_in_out rep_header Cookie LOGGED_IN=Y
      #cache deny cookie_logged_in_out
      #acl cookie_logged_in     req_header Cookie LOGGED_IN=Y
      #cache deny cookie_logged_in
      
      # Don't	cache "HTTP/1.1 403 Forbidden" responses
      acl forbidden http_status 403
      cache deny forbidden
      
    • For pre-Squid 3.0 on CentOS 5:
      /etc/squid/squid.conf
      # Basic parameters
      visible_hostname localhost
      # This line indicates the server we will be proxying for
      http_port 80 accel defaultsite=pressflow.example.com
      # And the IP Address for it
      cache_peer 10.0.1.1 parent 80 0 no-query originserver
      acl apache rep_header Server ^Apache
      broken_vary_encoding allow apache
      # Where the cache files will be, memory and such
      cache_dir ufs /var/spool/squid 10000 16 256
      cache_mem 256 MB
      maximum_object_size_in_memory 32 KB
      # Log locations and format
      logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
      logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
      access_log /var/log/squid/access.log squid
      cache_log /var/log/squid/cache.log
      cache_store_log /var/log/squid/store.log
      hosts_file /etc/hosts
      # Basic ACLs
      acl all src 0.0.0.0/0.0.0.0
      acl mydomain dstdomain .example.com
      acl manager proto cache_object
      acl localhost src 127.0.0.1/255.255.255.255
      acl to_localhost dst 127.0.0.0/8
      acl Safe_ports port 80
      acl purge method PURGE
      acl CONNECT method CONNECT
      http_access allow manager localhost
      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !Safe_ports
      http_access allow localhost
      http_access allow all
      http_access allow mydomain
      http_access deny all
      http_reply_access allow all
      icp_access allow all
      cache_effective_group proxy
      coredump_dir /var/spool/squid
      forwarded_for on
      emulate_httpd_log on
      redirect_rewrites_host_header off
      buffered_logs on
      # Observe Pressflow authentication headers
      acl cookie_logged_in_set rep_header Set-Cookie LOGGED_IN=Y
      cache deny cookie_logged_in_set
      acl cookie_logged_in_out rep_header Cookie LOGGED_IN=Y
      cache deny cookie_logged_in_out
      acl cookie_logged_in     req_header Cookie LOGGED_IN=Y
      cache deny cookie_logged_in
      
      # Don't	cache "HTTP/1.1 403 Forbidden" responses
      acl forbidden http_status 403
      cache deny forbidden
      
  2. Replace pressflow.example.com with the site you're proxying to.
  3. Replace 10.0.1.1 with the IP address of the Apache server you're proxying to.