Re: [squid-users] Reverse proxies...

Hi again,

I must admit I am still a bit uncomfortable with access rules and other things in reverse proxy...

Here's my conf again:

            +---> Squid1 ---> Apache1
            | |
Internet ---+---> Squid2 ---> Apache3
            | .
            | .
            +---> Squid<N> ---> Apache<N>

Each squid is a reverse proxy for one apache listening on an external IP.
Squid (port 80) and apache (port 8080) are both on the same server for now.
All squids are proxy-only siblings on an internal IP.

Basicaly, I want the following: client ask squid. If it is a miss, squid ask siblings in proxy-only (in order not to cache the same objects N times through the N squids).

Here are the confusing parts of the confs:

Common to all confs:
 acl from_localnet src 192.168.0.0/16 # Internal IPs
 icp_access allow from_localnet
 icp_access deny all
#miss_access deny from_localnet # Do I need this miss?
 acl to_examplecom dstdomain .example.com
 http_access allow to_examplecom

squid1.conf:
 http_port <EXTIP1>:80 accel defaultsite=www.example.com vhost
#https_port <EXTIP1>:3129 defaultsite=www.example.com cert=squid.pem key=squid.key
 cache_peer <EXTIP1> parent 8080 0 no-query originserver max-conn=64 name=apache1 front-end-https=auto
 cache_peer <INTIP2> sibling 80 3130 proxy-only name=squid2
 ...
 cache_peer <INTIPN> sibling 80 3130 proxy-only name=squidN
 cache_peer_access apache1 allow to_examplecom
 cache_peer_access apache1 deny all

squid2.conf:
 http_port <EXTIP2>:80 accel defaultsite=www.example.com vhost
#https_port <EXTIP2>:3129 defaultsite=www.example.com cert=squid.pem key=squid.key
 cache_peer <EXTIP2> parent 8080 0 no-query originserver max-conn=64 name=apache2 front-end-https=auto
 cache_peer <INTIP1> sibling 80 3130 proxy-only name=squid1
 ...
 cache_peer <INTIPN> sibling 80 3130 proxy-only name=squidN
 cache_peer_access apache2 allow to_examplecom
 cache_peer_access apache2 deny all

....

squidN.conf:
 http_port <EXTIP3>:80 accel defaultsite=www.example.com vhost
#https_port <EXTIPN>:3129 defaultsite=www.example.com cert=squid.pem key=squid.key
 cache_peer <EXTIPN> parent 8080 0 no-query originserver max-conn=64 name=apacheN front-end-https=auto
 cache_peer <INTIP1> sibling 80 3130 proxy-only name=squid1
 cache_peer <INTIP2> sibling 80 3130 proxy-only name=squid2
 ...
 cache_peer <INTIP[N-1]> sibling 80 3130 proxy-only name=squid[N-1]
 cache_peer_access apacheN allow to_examplecom
 cache_peer_access apacheN deny all

Questions:
1. Anything wrong in the confs above? Do I need some cache_peer_access for the siblings communication?
3. If squids sits right next to the apaches (on a gigabit switch), can I not use digests?
4. If I want to handle "leeches" (using wrong referer) with a redirector script, would the following work?

 acl examplecom_referer referer_regex example.com
 url_rewrite_program handleleech.php
 url_rewrite_children 5
 url_rewrite_concurrency 0
 url_rewrite_host_header off # Do I need this for a reverse proxy?
 url_rewrite_access allow !examplecom_referer
 url_rewrite_access deny all

 The redirector, based on some internal rules, will either send back a 302 or the document URL...

5. If I want the apaches to tell squid to cache for 1 week and squids to tell clients to cache for 1 month, can I just use header_replace like these?

 header_replace Expires Sun Jan 1 00:00:00 CET 2012
 header_replace Cache-Control max-age=2678400

 Or is it refresh_pattern with override-expire and override-lastmod?

6. Is there a way to prevent <shift>-reload from making squid ask apache when the object is still in its cache...? Something like that?

 refresh_pattern 0 0% 0 ignore-reload

Thank you,
JD

      
Received on Tue Jun 24 2008 - 18:30:25 MDT