[squid-users] Controlling Cache Peer

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 14 04:14:20 UTC 2016 

On 14/11/2016 2:58 p.m., creditu wrote:
> I'm having trouble understanding how to configure an accelerator to
> handle multiple IPs and backend servers.  In the past we used virtual
> IPs and a redirector script to  send the requests to a given backend. 
> Now we need to change to cache peer statements. 

What you need is cache_peer_access as documented at
<http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting> and
<http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers>.


> 
> Given the following:
> 
> Squid listens on:
> 10.10.10.1 - www.example.com
> 10.10.10.2 - dev.example.com
> 
> For .1, there are 3 backend origin servers.
> For .2 there is only 1 backend origin servers.
> 
> The following config (right now we need to handle both http and https):
> https_port 10.10.10.1:443 accel defaultsite=www.example.com
> cert=/etc/squid/www.crt key=/etc/squid/www.key
> http_port 10.10.10.1:80 accel defaultsite=www.example.com
> 
> # For www.example.com
> cache_peer 192.168.1.2 parent 80 0 no-query originserver round-robin
> cache_peer 192.168.1.3 parent 80 0 no-query originserver round-robin
> cache_peer 192.168.1.4 parent 80 0 no-query originserver round-robin
> 
> This seems to work fine for 10.10.10.1 (www.example.com), but I'm stuck
> on how to handle 10.10.10.2 (dev.example.com)and tell it to send
> requests coming in to a different cach_peer (cache_peer 192.168.0.1
> parent 80 0 no-query originserver)?

Use cache_peer_access to only permit the www.example.com dstdomain.

Like so:
 acl site1 dstdomain www.example.com

 cache_peer_access 192.168.1.2 allow site1
 cache_peer_access 192.168.1.2 deny all

 cache_peer_access 192.168.1.3 allow site1
 cache_peer_access 192.168.1.3 deny all

 cache_peer_access 192.168.1.4 allow site1
 cache_peer_access 192.168.1.4 deny all


> 
> Just guessing, but can I do something like this along with the above:
> https_port 10.10.10.2:443 accel defaultsite=dev.example.com
> cert=/etc/squid/www.crt key=/etc/squid/www.key
> http_port 10.10.10.2:80 accel defaultsite=dev.example.com
> 
> cache_peer 192.168.0.1 parent 80 0 no-query originserver
> 

Follow that with cache_peer_access like above, but allowing access only
to the dev.example.com domain.


> If so, I'm unsure how to do the ACLs to direct the traffic to the
> correct backend servers.  Especially since for www.example.com I can not
> use the same name= statement for all three backends to construct the
> ACLs.

name= is just a label for the cache_peer link. It does not by itself do
anything like permissions. The default name= for any peer link is the
text you put in as IP/hostname Squid is to contact.

Amos

More information about the squid-users mailing list