[squid-users] Reverse proxy caching from SSL cache_peer depending on urlpath_regex
squid3 at treenet.co.nz
Fri Oct 9 01:11:32 UTC 2015
On 9/10/2015 11:42 a.m., Manuel wrote:
> I am thinking about the idea of using Squid as a reverse proxy on https
> (also on http), doing some caching and connecting to a SSL cache_peer and a
> non SSL cache_peer depending on the address (e.g. login related addresses
> would use the SSL cache_peer).
> The goal is to make faster the browsing experience of the website by not
> encrypting and decrypting on both the reverse proxy and the webserver
> requests that do not need to be secured on the reverse proxy-webserver side.
> Of course this could be done too on part of the server-client connections
> but it would give a lot of problems such as web browsers alerts changing
> from HTTPS to HTTP, similar alerts because of partial content on HTTPS, HTTP
> would be worse for SEO too, safety risks sending login POST data from HTTP
> to HTTPS, etc.
> This approach makes me wonder the following questions and I would like to
> confirm my thoughts:
> - Can squid acting as a reverse proxy deal with caching with SSL similar
> than it can do it without SSL? In any combination https_port accel and
> cache_peer ssl; https_port accel and cache_peer (not ssl); http_port accel
> and cache_peer ssl; http_port and cache_peer (not ssl)?
> My understanding is that, yes, it can do it and that Squid get the content
> from the cache_peer (encrypted if ssl), decrypt it if encrypted and store it
> always not encrypted. Am I right?
> - Can Squid use a SSL cache_peer just for specific addresses of the same
> website/domain and a non SSL cache_peer for the rest of the addresses on the
> same website/domain?
> My understanding is that such a thing would be possible setting those two
> different named cache_peers, one on port 443 with the ssl option and the
> other on port 80; and then using acl urlpath_regex to choose what cache_peer
> to use. Is that correct?
Yes, and no. There is no complication about whether things have arrived
over a TCP connection vs TLS connection. They are just connections with
different URL schemes to a reverse-proxy. The client and server
connections in HTTP are independent.
Caching depends only on the message itself. What type of connection it
was received over is irrelevant.
1) TLS (or SSL) is just a transport protocol to Squid, like TCP.
2) HTTPS is just HTTP transferred over a TLS connection.
All your questions come back to those details.
More information about the squid-users