[squid-users] Reverse proxy caching from SSL cache_peer depending on urlpath_regex

Amos Jeffries squid3 at treenet.co.nz
Fri Oct 9 01:11:32 UTC 2015 

On 9/10/2015 11:42 a.m., Manuel wrote:
> Hi,
> 
> I am thinking about the idea of using Squid as a reverse proxy on https
> (also on http), doing some caching and connecting to a SSL cache_peer and a
> non SSL cache_peer depending on the address (e.g. login related addresses
> would use the SSL cache_peer).
> 
> The goal is to make faster the browsing experience of the website by not
> encrypting and decrypting on both the reverse proxy and the webserver
> requests that do not need to be secured on the reverse proxy-webserver side.
> Of course this could be done too on part of the server-client connections
> but it would give a lot of problems such as web browsers alerts changing
> from HTTPS to HTTP, similar alerts because of partial content on HTTPS, HTTP
> would be worse for SEO too, safety risks sending login POST data from HTTP
> to HTTPS, etc.
> 
> This approach makes me wonder the following questions and I would like to
> confirm my thoughts:
> 
> - Can squid acting as a reverse proxy deal with caching with SSL similar
> than it can do it without SSL? In any combination https_port accel and
> cache_peer ssl; https_port accel and cache_peer (not ssl); http_port accel
> and cache_peer ssl; http_port and cache_peer (not ssl)?
> 
> My understanding is that, yes, it can do it and that Squid get the content
> from the cache_peer (encrypted if ssl), decrypt it if encrypted and store it
> always not encrypted. Am I right?
> 
> - Can Squid use a SSL cache_peer just for specific addresses of the same
> website/domain and a non SSL cache_peer for the rest of the addresses on the
> same website/domain?
> 
> My understanding is that such a thing would be possible setting those two
> different named cache_peers, one on port 443 with the ssl option and the
> other on port 80; and then using acl urlpath_regex to choose what cache_peer
> to use. Is that correct?
> 

Yes, and no. There is no complication about whether things have arrived
over a TCP connection vs TLS connection. They are just connections with
different URL schemes to a reverse-proxy. The client and server
connections in HTTP are independent.

Caching depends only on the message itself. What type of connection it
was received over is irrelevant.


FYI:

1) TLS (or SSL) is just a transport protocol to Squid, like TCP.

2) HTTPS is just HTTP transferred over a TLS connection.

All your questions come back to those details.


Amos

More information about the squid-users mailing list