/
reverse proxy

reverse proxy

Aug 22, 2011

y

These instructions are in need of freshening for current Pressflow releases. There is no longer a LOGGED_IN cookie. Now, only authenticated users (and certain types of interactive anonymous users) should have a session cookies.

Configuring Pressflow to work with your reverse proxy servers

  1. Edit settings.php.

  2. Add the following to your $conf array, keeping any other settings there:

    settings.php (excerpt)

    $conf = array( 'reverse_proxy' => TRUE, 'reverse_proxy_addresses' => array( '10.0.0.1', // Reverse proxy host A '10.0.0.2', // Reverse proxy host B '10.0.0.3', // Reverse proxy host C [...] ), );

  3. Configure the "reverse_proxy_addresses" array to contain the IP addresses of your reverse proxy servers. This will allow Pressflow to only accept genuine "X-Forwarded-For" headers from your reverse proxy server(s).

  4. Enable Drupal's page cache in admin/settings/performance as follows:

    1. Set the Caching Mode to External.

    2. Set the Page Cache Maximum Age to an appropriate value (anything over 0).

  5. Test your configuration:

    1. Sign out.

    2. Install the Live HTTP Headers extension for Firefox and start viewing headers.

    3. Sign in, and look for the "LOGGED_IN" cookie being received in your HTTP headers.

    4. Click on another page, and check that the "LOGGED_IN" is being sent.

    5. Sign out, and look for the "LOGGED_IN" cookie being received with an expired date in your HTTP headers.

    6. Click on another page, and check that the "LOGGED_IN" is not being sent.

Configuring Squid to observe Pressflow's authentication headers

  1. Install the basic configuration below.

    • For Squid 3.0 on Ubuntu 8.04:

      /etx/squid3/squid.conf

      # Basic parameters visible_hostname www1.causecast.org # This line indicates the server we will be proxying for http_port 80 accel defaultsite=causecast.org # And the IP Address for it cache_peer 127.0.0.1 parent 8080 0 no-query originserver # Memory and cache files cache_dir ufs /var/spool/squid3 10000 16 256 cache_mem 256 MB maximum_object_size_in_memory 32 KB # Basic ACLs acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl Safe_ports port 80 acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access allow localhost http_access allow all http_access deny all http_reply_access allow all icp_access allow all cache_effective_group proxy coredump_dir /var/spool/squid emulate_httpd_log on redirect_rewrites_host_header off buffered_logs on # Observe Pressflow authentication headers #acl cookie_logged_in_set rep_header Set-Cookie LOGGED_IN=Y #cache deny cookie_logged_in_set #acl cookie_logged_in_out rep_header Cookie LOGGED_IN=Y #cache deny cookie_logged_in_out #acl cookie_logged_in req_header Cookie LOGGED_IN=Y #cache deny cookie_logged_in # Don't cache "HTTP/1.1 403 Forbidden" responses acl forbidden http_status 403 cache deny forbidden

    • For pre-Squid 3.0 on CentOS 5:

      /etc/squid/squid.conf

      # Basic parameters visible_hostname localhost # This line indicates the server we will be proxying for http_port 80 accel defaultsite=pressflow.example.com # And the IP Address for it cache_peer 10.0.1.1 parent 80 0 no-query originserver acl apache rep_header Server ^Apache broken_vary_encoding allow apache # Where the cache files will be, memory and such cache_dir ufs /var/spool/squid 10000 16 256 cache_mem 256 MB maximum_object_size_in_memory 32 KB # Log locations and format logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log hosts_file /etc/hosts # Basic ACLs acl all src 0.0.0.0/0.0.0.0 acl mydomain dstdomain .example.com acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl Safe_ports port 80 acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access allow localhost http_access allow all http_access allow mydomain http_access deny all http_reply_access allow all icp_access allow all cache_effective_group proxy coredump_dir /var/spool/squid forwarded_for on emulate_httpd_log on redirect_rewrites_host_header off buffered_logs on # Observe Pressflow authentication headers acl cookie_logged_in_set rep_header Set-Cookie LOGGED_IN=Y cache deny cookie_logged_in_set acl cookie_logged_in_out rep_header Cookie LOGGED_IN=Y cache deny cookie_logged_in_out acl cookie_logged_in req_header Cookie LOGGED_IN=Y cache deny cookie_logged_in # Don't cache "HTTP/1.1 403 Forbidden" responses acl forbidden http_status 403 cache deny forbidden

  2. Replace pressflow.example.com with the site you're proxying to.

  3. Replace 10.0.1.1 with the IP address of the Apache server you're proxying to.