[squid-users] Squid reverse proxy in http > https mode

Amos Jeffries squid3 at treenet.co.nz
Tue Aug 18 17:10:14 UTC 2015

On 19/08/2015 3:18 a.m., Veiko Kukk wrote:
> Hi
> I'm trying to get most optimized solution for caching objects of cloud
> storage.
> The data flow I'd like to achieve is: http client <http> squid reverse
> mode cache <https> remote https storage server

Squid does support gatewaying HTTP to servers over TLS/SSL. That part is
  cache_peer example.com parent 443 0 originserver ssl

That will effectively take http:// or https:// traffic and convert it to
solely https:// for the origin server.

https:// is forbidden to be sent around un-encrypted. So getting that
traffic to Squid un-encrypted is near impossible.

> Common scenarios/examples of accel mode http(s) port include opposite
> direction of traffic encryption/decryption, client connecting via https
> and backend servers (cache_peer) being http. In my case client connects
> via localhost and to reduce cpu load, I'd like to have this connection
> without encryption and start encryption only when data leaves local
> squid to parent cache_peer, because this remote server speaks https only.
> Is this possible with squid?

That is up to the client software, but in almost all cases no. You have
to have an HTTPS listening port.

> Another related question is: when cache_peer hostname is dns name that
> resolves into multiple ip addresses, then how does squid act? Does it
> resolve it once and use first ip addres or all addresses in round robin,
> or does it resolve every time cache_peer is accessed?

It resolves AAAA and A once per DNS TTL as is proper to ensure it has an
up to date and accurate IP list.

IPv6 results are sorted for preference over IPv4 results. Unless
dns_v4_first is configured to reverse the preference order. In
accordance with BCP 177.

That cache_peer's IP list is appended to the full list of potential
destination IPs along with any other sources which may be used.

Then TCP connection setup is tried sequentially down the full list of
destinations. Whichever IP is listed first and responds is used.

> What happens if
> one of the addresses is not accessible?

It gets marked as bad/unavailable and the next one on the available list
is tried.

> I have checked documentation but
> did not find any explanation on that topic.

The DNS parts are simply how DNS is supposed to work. Nothing special
about Squid.


More information about the squid-users mailing list