[squid-users] Accessing cache_peer siblings with ssl for reverse proxy
Veiko Kukk
vkukk at xvidservices.com
Tue Oct 6 13:52:53 UTC 2015
Hi everyone,
I have successfully set up reverse proxy and ICP communication between
siblings. I'd like to encrypt cache sharing between siblings, but cannot
figure out the optimal solution for this. I have not found from
documentation, how to do ssl encryption between cache_peer hosts so that
cache objects are transferred securely over the Internet.
It works like this: local http client connects to squid with plain http,
squid acts as https client for remote server, fetches objects and stores
them into cache. The question is, how to fetch objects from sibling
caches with ssl and minimal overhead?
My current test system configuration (replaced hostnames with foobar,
the second test sibling just has y.y.y.y ip address in configuration):
cache_effective_user squid
cache_effective_group squid
http_port 3128 accel vhost
cache_peer foo.bar.tld parent 443 0 no-query no-digest originserver ssl
sslversion=6 name=foo-1
cache_peer_domain foo-1 .foo.bar.tld
icp_port 3130
cache_peer x.x.x.x sibling 3128 3130 proxy-only
maximum_object_size 64 MB
cache_mem 4 GB
forwarded_for transparent
refresh_pattern -i cgi-bin 0 0% 0
refresh_pattern -i ^http:\/\/AUTH_.*squid.internal.* 2880 100% 10080
override-expire
refresh_pattern . 0 20% 4320
acl foobar_storage dstdomain .bar.tld
acl sibling_list src x.x.x.x/32
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow sibling_list
http_access deny all
cache_peer_access foo-1 allow foobar_storage
cache_peer_access foo-1 deny all
icp_access allow sibling_list
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid/ssd 65536 16 256 min-size=0 max-size=1MB
cache_dir aufs /var/cache/squid 1000000 64 256 min-size=1MB
coredump_dir /var/spool/squid
store_id_program /usr/lib64/squid/storeid_file_rewrite
/var/spool/squid/store_id_db
store_id_children 20 startup=2
store_id_access allow foobar_storage
store_id_access deny all
####
foo.bar.tld is remote storage service.
Thanks in advance,
Veiko
More information about the squid-users
mailing list