[squid-users] Accessing cache_peer siblings with ssl for reverse proxy

Veiko Kukk vkukk at xvidservices.com
Tue Oct 6 14:11:38 UTC 2015

Hi everyone,

I have successfully set up reverse proxy and ICP communication between 
siblings. I'd like to encrypt cache sharing between siblings, but cannot 
figure out the optimal solution for this. I have not found from 
documentation, how to do ssl encryption between cache_peer hosts so that 
cache objects are transferred securely over the Internet.

It works like this: local http client connects to squid with plain http, 
squid acts as https client for remote server, fetches objects and stores 
them into cache. The question is, how to fetch objects from sibling 
caches with ssl and minimal overhead?

My current test system configuration (replaced hostnames with foobar, 
the second test sibling just has y.y.y.y ip address in configuration):

cache_effective_user squid
cache_effective_group squid

http_port 3128 accel vhost

cache_peer foo.bar.tld parent 443 0 no-query no-digest originserver ssl 
sslversion=6 name=foo-1

cache_peer_domain foo-1 .foo.bar.tld

icp_port 3130

cache_peer x.x.x.x sibling 3128 3130 proxy-only

maximum_object_size 64 MB

cache_mem 4 GB

forwarded_for transparent

refresh_pattern -i cgi-bin 0 0% 0
refresh_pattern -i ^http:\/\/AUTH_.*squid.internal.* 2880 100% 10080 
refresh_pattern . 0 20% 4320

acl foobar_storage dstdomain .bar.tld
acl sibling_list src x.x.x.x/32

http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow sibling_list
http_access deny all

cache_peer_access foo-1 allow foobar_storage
cache_peer_access foo-1 deny all

icp_access allow sibling_list

cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid/ssd 65536 16 256 min-size=0 max-size=1MB

cache_dir aufs /var/cache/squid 1000000 64 256 min-size=1MB

coredump_dir /var/spool/squid

store_id_program /usr/lib64/squid/storeid_file_rewrite 
store_id_children 20 startup=2
store_id_access allow foobar_storage
store_id_access deny all

foo.bar.tld is remote storage service.

Thanks in advance,

More information about the squid-users mailing list