Multi-stage Proxy server on AWS EC2 with Squid
SaaS is all the rage, and sometimes you want to use SaaS proxies from your internal network.
We will show you how to set up a quick proxy server in AWS and implement a multi-stage proxy configuration.
Set up EC2 in AWS
First, prepare a server on AWS to set up a proxy server.
You can quickly create it on AWS.
If you get used to it, you can build an EC2 server in less than 30 minutes, but it can be a little tricky at first, so I will briefly describe some key points. Before building the server, you will need to create an Internet gateway and routing table in advance to assign a virtual private cloud and global IP. It is like creating a zone or configuring a router.
Point 1: Build a VPC (Virtual Private Cloud).
Point 2: Create an Internet gateway.
Point 3: Build a route table.
Point 4: Run Cent OS on an EC2 instance. The t2.micro within the free framework is enough to try it out.
Don’t forget to enable automatic assignment of public IPs in the network settings.
Security groups allow ssh traffic.
From your terminal, specify the ssh.key with the -i option and connect using ssh.
If you can connect, it is OK. I tried it with my smartphone and was able to access the site in less than 30 minutes.
ssh -i xxx.pem email@example.com
Build a Squid server and put in the settings for multistage proxying.
Install squid on Cent OS.
# yum -y install squid
Change the configuration of squid to a multi-level proxy setting.
Add a never_direct setting to the “/etc/squid/squid.conf" configuration to prevent direct access. In addition, add a FQDN setting in cache_peer to indicate the parent proxy server. The [FQDN] portion should be the domain name of the SaaS server that provides the proxy service.
If you do not include never_direct, the server may be accessed directly without going through the parent proxy server, so be sure to include the never_direct setting as well.
never_direct allow all cache_peer [FQDN] parent 8080 0 no-query
On the other hand, if you put always_direct allow all, the web server will always be accessed directly, without going through the parent proxy server, and you can use different ACLs to set up some communications without multistage proxying and some communications with multistage proxying. The ACLs can be used in different ways.
This is a brief description of how to build EC2 on AWS and implement a multistage proxy configuration, including a SaaS proxy, with Squid.
If you want to use a multistage proxy configuration using SaaS, please give it a try.