[squid-users] Https from sibling peers does not work
Amos Jeffries
squid3 at treenet.co.nz
Mon Nov 27 10:29:23 UTC 2023
On 27/11/23 22:38, Mihkel Tammepuu wrote:
> Hello!
> I am trying to set up a sibling cluster of 4 Squid instances. The purpose of the cluster is redundancy AND sharing cache disk space.
FWIW, if these are running on the same machine you may find SMP workers
with rock type cache_dir easier to manage and more efficient with the
caching than a traditional cluster.
> Everything seems to work fine with http, but with https I cannot see requests being forwarded to siblings.
> Interestingly, when using HTCP, the siblings do get HTCP_CLR requests, but not HTCP_TST requests and https content is NOT loaded from sibling even if it’s clearly present there.
> I’m of course using SSL Bump, content from origin servers works fine. I’ve tried Squid 6.5 and 5.9 with same results.
> What might be wrong? Any way to fix it?
>
I assume/suspect you have the traditional cache_peer setup without TLS
between them.
Squid intentionally does not send decrypted HTTPS traffic over non-TLS
connections. That includes your cache_peer.
Try adding the "tls" option to your cache_peer lines and ensure they all
use https_port listening in forward-proxy mode to receive that traffic.
If you need more assistance, please show what your config is. We will
need the specific details of that to see if any other changes are useful
and/or advise on further troubleshooting.
HTH
Amos
More information about the squid-users
mailing list