[squid-users] One Squid proxy for multi-tenant environment

Amos Jeffries squid3 at treenet.co.nz
Fri Feb 20 23:55:56 UTC 2015


On 21/02/2015 4:57 a.m., maxt wrote:
> I'm just wondering if it is possible to do the following:
> 
> Have one Squid proxy that covers multiple domains/tenants.  Each tenant
> would have their own specific whitelist and blacklist of sites.  Each tenant
> would have their own customized/branded block page that would have
> instructions for requesting a site be whitelisted.

Sort of. We are partway there with SMP support. There are two easy-ish
ways it can be done:


1) 3.2+ SMP worker per tenant.

NP: There is still crossover with things like shared memory (if you
choose to leabve it enabled) and cachemgr reports.


Add this line to squid.conf between the "http_access CONNECT !SSL_ports"
and "http_access deny all" lines:

 include /etc/squid/client-${processs_number}.conf


All the client-specific configuration then goes in the numbered
client-N.conf files. You may need to shuffle things like the default
refresh_patterns around so they are below the include (so not overriding
the client settings).

There is still some crossover with settings that can only be set once
per proxy instance (PID file etc). Those need to be set in the main
squid.conf, which you can also use to set local network defaults
different from the hard coded ones, or override some client abilities.


2) 3.5+ named service per tenant

This is not really single-proxy but allows you to run separate
instances/services per-tenant from one installed Squid. It does not have
any of the crossover issues the above (which may be either Pro or Con
for your needs).

 In squid.conf put this:

   include /etc/squid/client-${service_name}.conf

Service name much only be alphanumeric characters.

Same caveats apply about shuffling things around within squid.conf so
they dont collide with the per-client settings.

 Run Squid using:

   squid -n <some_name> ...

Note that is a lower case 'n', upper case is very different.


HTH
Amos


More information about the squid-users mailing list