reverse proxy

Owned by Former user (Deleted)
Last updated: Aug 22, 2011 by AnonymousVersion comment
3 min read

y

These instructions are in need of freshening for current Pressflow releases. There is no longer a LOGGED_IN cookie. Now, only authenticated users (and certain types of interactive anonymous users) should have a session cookies.

Configuring Pressflow to work with your reverse proxy servers

  1. Edit settings.php.
  2. Add the following to your $conf array, keeping any other settings there:
    settings.php (excerpt)
    $conf = array(
    'reverse_proxy' => TRUE,
    'reverse_proxy_addresses' => array(
      '10.0.0.1', // Reverse proxy host A
      '10.0.0.2', // Reverse proxy host B
      '10.0.0.3', // Reverse proxy host C
      [...]
    ),
  );
  3. Configure the "reverse_proxy_addresses" array to contain the IP addresses of your reverse proxy servers. This will allow Pressflow to only accept genuine "X-Forwarded-For" headers from your reverse proxy server(s).
  4. Enable Drupal's page cache in admin/settings/performance as follows:
    1. Set the Caching Mode to External.
    2. Set the Page Cache Maximum Age to an appropriate value (anything over 0).
  5. Test your configuration:
    1. Sign out.
    2. Install the Live HTTP Headers extension for Firefox and start viewing headers.
    3. Sign in, and look for the "LOGGED_IN" cookie being received in your HTTP headers.
    4. Click on another page, and check that the "LOGGED_IN" is being sent.
    5. Sign out, and look for the "LOGGED_IN" cookie being received with an expired date in your HTTP headers.
    6. Click on another page, and check that the "LOGGED_IN" is not being sent.

Configuring Squid to observe Pressflow's authentication headers

  1. Install the basic configuration below.
    • For Squid 3.0 on Ubuntu 8.04:
      /etx/squid3/squid.conf
      # Basic parameters
visible_hostname www1.causecast.org
# This line indicates the server we will be proxying for
http_port 80 accel defaultsite=causecast.org
# And the IP Address for it
cache_peer 127.0.0.1 parent 8080 0 no-query originserver
# Memory and cache files
cache_dir ufs /var/spool/squid3 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 32 KB
# Basic ACLs
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 80
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow localhost
http_access allow all
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid
emulate_httpd_log on
redirect_rewrites_host_header off
buffered_logs on
# Observe Pressflow authentication headers
#acl cookie_logged_in_set rep_header Set-Cookie LOGGED_IN=Y
#cache deny cookie_logged_in_set
#acl cookie_logged_in_out rep_header Cookie LOGGED_IN=Y
#cache deny cookie_logged_in_out
#acl cookie_logged_in     req_header Cookie LOGGED_IN=Y
#cache deny cookie_logged_in

# Don't	cache "HTTP/1.1 403 Forbidden" responses
acl forbidden http_status 403
cache deny forbidden
    • For pre-Squid 3.0 on CentOS 5:
      /etc/squid/squid.conf
      # Basic parameters
visible_hostname localhost
# This line indicates the server we will be proxying for
http_port 80 accel defaultsite=pressflow.example.com
# And the IP Address for it
cache_peer 10.0.1.1 parent 80 0 no-query originserver
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
# Where the cache files will be, memory and such
cache_dir ufs /var/spool/squid 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 32 KB
# Log locations and format
logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
hosts_file /etc/hosts
# Basic ACLs
acl all src 0.0.0.0/0.0.0.0
acl mydomain dstdomain .example.com
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 80
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow localhost
http_access allow all
http_access allow mydomain
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid
forwarded_for on
emulate_httpd_log on
redirect_rewrites_host_header off
buffered_logs on
# Observe Pressflow authentication headers
acl cookie_logged_in_set rep_header Set-Cookie LOGGED_IN=Y
cache deny cookie_logged_in_set
acl cookie_logged_in_out rep_header Cookie LOGGED_IN=Y
cache deny cookie_logged_in_out
acl cookie_logged_in     req_header Cookie LOGGED_IN=Y
cache deny cookie_logged_in

# Don't	cache "HTTP/1.1 403 Forbidden" responses
acl forbidden http_status 403
cache deny forbidden
  2. Replace pressflow.example.com with the site you're proxying to.
  3. Replace 10.0.1.1 with the IP address of the Apache server you're proxying to.