There are nice open source proxy servers out there. After quick researching, picked Apache Traffic Server as my proxy server projects, forward proxy and reverse proxy.
This documentation will be provided basic installation steps, tips and troubleshooting.
1. Required packages
Ubuntu 13.10
- pkgconfig(For apt installer : pkg-config)
- libtool
- gcc (>= 4.3 or clang > 3.0)
- make (GNU Make!)
- openssl
- tcl
- expat
- pcre (libpcre3-dev)
- libcap (libcap-dev)
- flex (for TPROXY)
- bison
- hwloc
- lua (lua5.2)
- curses
- curl
- libhwloc-dev
- libboost-all-dev
ex) sudo apt-get install pkg-config
CentOS 6.5
- gcc
- gcc-c++
- pkgconfig
- pcre-devel
- tcl-devel
- expat-devel
- openssl-devel
libcap
libcap-devel
hwloc
hwloc-devel
perl-ExtUtils-MakeMaker
libunwind
libunwind-devel
autoconf
automake
libtool
ex) yum install pkgconfig
2. If you want git clone, you need below packages.
- git and git-core
- autoconf
- automake
git clone https://git-wip-us.apache.org/repos/asf/trafficserver.git
3. Download Apache Traffic Server 4.1.2
wget http://apache.claz.org/trafficserver/trafficserver-4.1.2.tar.bz2
4. Extract
tar xf trafficserver-4.1.2.tar.bz2
5. Relocate directory
cd /trafficserver-4.1.2
6. Install
./configure
make check
sudo make install
7. Modify configuration file
open /etc/ld.so.conf file and add below line
include /usr/local/libexec/trafficserver
7-1. For the "Forward Proxy", modify /usr/local/etc/trafficserver/records.config file
CONFIG proxy.config.url_remap.remap_required INT 1 to 0
If your proxy is serving as pure forward proxy, you will also want to set
CONFIG proxy.config.reverse_proxy.enabled INT 1 to 0
Etc.)
CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
CONFIG proxy.config.http.forward.proxy_auth_to_parent INT 0
CONFIG proxy.config.http.insert_squid_x_forwarded_for INT1
7-2. For the "Reverse Proxy", modify records.config and remap.config files
7-2-1. /usr/local/etc/trafficserver/records.config
CONFIG proxy.config.http.server_port INT 80
CONFIG proxy.config.proxy_name STRING svr1.tecadmin.net
CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
7-2-2. /etc/trafficserver/remap.config
map http://svr1.tecadmin.net:80/ http://localhost:82/
reverse_map http://localhost:82/ http://svr1.tecadmin.net/
7-3. Caching file setup
Modify file "Storage.config" (in this case /usr/local/etc/trafficserver)
Add below statement for 5GB caching file size. cache.db file will be created under the directory.
/usr/local/etc/trafficserver 5000M
8. Reset the configuration file
sudo ldconfig
9. Start and stop.
sudo trafficserver start \ stop \ restart
or
service trafficserver start \ stop \ restart
traffic_line -x <– soft reset.
Ex) Once Apache Traffic Server is running correctly, you would see below output.
[root@TS-Srv-CentOS trafficserver]# service trafficserver restart
Stopping traffic_cop: [ OK ]
Stopping traffic_manager: [ OK ]
Stopping traffic_server: [ OK ]
Starting Apache Traffic Server: [ OK ]
9-1. Traffic Server to start at boot:.
chkconfig trafficserver on
10. Statistics
[root@TS-Srv-CentOS trafficserver]# traffic_logstats -s | more
:
:
Totals (all Origins combined)
Request Result Count Percent Bytes Percent
——————————————————————————
Cache hit 34 3.53% 739.67KB 0.30%
Cache hit IMS 0 0.00% 0.00KB 0.00%
Cache hit refresh 254 26.35% 231.60KB 0.09%
Cache hit other 0 0.00% 0.00KB 0.00%
Cache hit total 288 29.88% 971.27KB 0.39%
Cache miss 461 47.82% 11.52MB 4.76%
Cache miss IMS 96 9.96% 186.89KB 0.08%
Cache miss refresh 1 0.10% 7.25KB 0.00%
Cache miss other 0 0.00% 0.00KB 0.00%
Cache miss total 558 57.88% 11.71MB 4.84%
Client aborted 66 6.85% 229.23MB 94.76%
Connect failed 14 1.45% 2.27KB 0.00%
Invalid request 22 2.28% 2.41KB 0.00%
Unknown error(99) 16 1.66% 0.00KB 0.00%
Other errors 0 0.00% 0.00KB 0.00%
Errors total 118 12.24% 229.23MB 94.77%
……………………………………………………………………
Total requests 964 100.00% 241.89MB 100.00%
:
[root@TS-Srv-CentOS trafficserver]# traffic_logstats -h ; for help
* Above command will bring stats from file on /usr/local/var/log/trafficserver/squid.blog
11. Tips
> All configuration files : /usr/local/etc/trafficserver
> All executable files : /usr/local/libexec/trafficserver
> Monitoring traffic & log files : var/log/trafficserver
> Install with Yum on CentOS.
CentOS/RHEL 6, 32 Bit:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
CentOS/RHEL 6, 64 Bit:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Yum install trafficserver (it will install Traffic Server ver.3.0.4)
12. Stats and verifying
To see host database statistics, try
# traffic_line -r proxy.process.hostdb.total_lookups
# traffic_line -r proxy.process.hostdb.total_hits
To see a DNS total lookups
# traffic_line -r proxy.process.dns.total_dns_lookups
To see average lookup time (msec)
# traffic_line -r proxy.process.dns.lookup_avg_time
To see DNS successes
# traffic_line -r proxy.process.dns.lookup_successes
To see total DB lookups
# traffic_line -r proxy.process.hostdb.total_lookups
To see total DB hits
# traffic_line -r proxy.process.hostdb.total_hits
To see Time TTL (min)
# traffic_line -r proxy.process.hostdb.ttl
To see cache hit just from disk and not ram:
# traffic_line -r proxy.process.cache.ram_cache.hits
To see live log
# traffic_logcat -f /usr/local/var/log/trafficserver/squid.blog
To purge entire cache
# traffic_server -Cclear
More……
# traffic_line -r proxy.process.http.cache_hit_fresh
# traffic_line -r proxy.process.http.cache_hit_revalidated
# traffic_line -r proxy.process.http.cache_hit_ims
# traffic_line -r proxy.process.http.cache_hit_stale_served
# traffic_line -r proxy.process.http.cache_miss_cold
# traffic_line -r proxy.process.http.cache_miss_changed
# traffic_line -r proxy.process.http.cache_miss_not_cacheable
# traffic_line -r proxy.process.http.cache_miss_client_no_cache
# traffic_line -r proxy.process.http.cache_miss_ims
>Events of Log::error()
# traffic_line -r proxy.process.log.event_log_error_ok
# traffic_line -r proxy.process.log.event_log_error_skip
# traffic_line -r proxy.process.log.event_log_error_aggr
# traffic_line -r proxy.process.log.event_log_error_full
# traffic_line -r proxy.process.log.event_log_error_fail
>Events for Log::access()
# traffic_line -r proxy.process.log.event_log_access_ok
# traffic_line -r proxy.process.log.event_log_access_skip
# traffic_line -r proxy.process.log.event_log_access_aggr
# traffic_line -r proxy.process.log.event_log_access_full
# traffic_line -r proxy.process.log.event_log_access_fail
>Logging Data to/from network/disk
# traffic_line -r proxy.process.log.num_sent_to_network
# traffic_line -r proxy.process.log.num_received_from_network
# traffic_line -r proxy.process.log.num_flush_to_disk
# traffic_line -r proxy.process.log.bytes_sent_to_network
# traffic_line -r proxy.process.log.bytes_received_from_network
# traffic_line -r proxy.process.log.bytes_flush_to_disk
# traffic_line -r proxy.process.log.bytes_written_to_disk
# traffic_line -r proxy.process.log.log_files_open
# traffic_line -r proxy.process.log.log_files_space_used
> Error & ignore mismatch
# traffic_line -r proxy.config.http.cache.ignore_accept_mismatch
# traffic_line -r proxy.config.http.cache.ignore_accept_language_mismatch
# traffic_line -r proxy.config.http.cache.ignore_accept_encoding_mismatch
# traffic_line -r proxy.config.http.cache.ignore_accept_charset_mismatch
13. Troubleshooting
13-1. If you can browse your Apache Traffic Server from local, but outside. Check firewall setting, /etc/sysconfig/iptable.
CentoOS 6.5 default setting of iptable is
> Firewall configuration written by system-config-firewall
> Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
add below with below statements.
– A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
– A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT
– A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
You could block icmp with below statement.
– A INPUT -j REJECT –reject-with icmp-host-prohibited
Dont’ forget restart service
service iptables restart
service iptables restart
13-2. Does httpd/Apache service require for Apache Traffic Server(ATS)?
Not necessarily, but it helps when you test a connectivity and ports.