Simple Plone Clustering with Squid and Pound
A simple Squid/Pound/Zope setup. Now you can do it without rewrite rules or redirector scripts and take advantage of squid acceleration and the scalability of ZEO.
There are so many how-tos out there on how this is supposed to be setup, but each seem to be missing one part or adds in some extra complexities that aren't really needed.
- Pound is super simple to setup
- ZEO is a little more difficult
- Squid is the most complex
In this setup no redirector script is needed for squid since we can handle the mappings in the VirtualHostMonster mappings tab. We have to run pound and squid on the same port, but different interfaces so the url rewriting does the right thing. VirtualHostMonster itself won't rewrite the ports without some kind of rewriting done beforehand. This is ok since we can just bind Pound to the loopback interface and the squid to the external interface.
Here is a copy of my squid.conf. Just replace @@my.domain.com@@ with the host name that you are serving and @@my_external_ip_address@@ with the external IP of your server:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
# Basic ACLs
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/32
acl ssl_ports port 443 563
acl safe_ports port 80 443
acl zope_servers src 127.0.0.2 127.0.0.1
acl manager proto cache_object
acl connect method connect
# deny requests to unknown ports
http_access deny !safe_ports
acl accelerated_protocols proto http https
acl accelerated_domains dstdomain @@my.domain.com@@
acl accelerated_ports myport 80 443
http_access allow accelerated_domains accelerated_ports accelerated_protocols
# Purge access - zope servers can purge but nobody else
acl purge method PURGE
http_access allow zope_servers purge
http_access deny purge
# Reply access
http_reply_access allow all
# Cache manager setup - cache manager can only connect from localhost
# only allow cache manager access from localhost
http_access allow manager localhost
http_access deny manager
# deny connect to other than ssl ports
http_access deny connect !ssl_ports
# ICP access - anybody can access icp methods
icp_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
coredump_dir /usr/local/squid/cache
http_port @@my_external_ip_address@@:80
httpd_accel_host 127.0.0.1
httpd_accel_port 80
httpd_accel_single_host on
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Pound's 1.X config is simple also:
ListenHTTP 127.0.0.1,80 User zope Group zope LogLevel 1 UrlGroup ".*" BackEnd 127.0.0.1,51003,1 BackEnd 127.0.0.1,51004,1 EndGroup
Here is the same thing for pound 2.X:
User "zope"
Group "zope"
ListenHTTP
Address 127.0.0.1
Port 81
xHTTP 2
End
Service
BackEnd
Address 127.0.0.1
Port 51003
End
BackEnd
Address 127.0.0.1
Port 51004
End
Session
Type COOKIE
ID "__ac"
TTL 300
End
End
All that is left is to configure 2 ZEO Clients and a ZEO Storage Server to answer the requests. In one of the ZEO Clients go into the root VirtualHostMonster and on the mappings tab add one entry per domain name and site you want to serve.
Visit our
!!!!! WARNING !!!!
If anyone changes their proxy settings in their browser to www.your-plone-server.com they will then be able to surf the net via your server thereby masking their own identity and also avoiding their own company firewall chewing though your bandwidth in the process
What you should do is chane the http_access deny to_localhost to allow if your running pound on the same box as this will then only allow reqests to be proxied only of their final destination is your own server