Caching HTTPS with a parent squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Caching HTTPS with a parent squid

Mauricio Garavaglia
Hello! I have a squid 3.5 caching HTTPS doing BumpSSL, everything works ok butI need to add another one as a parent (bigger storage and but different SLA...) of the first one, while still allowing it to go direct if the parent is not available.

[Client]---->[Squid 1]----->[Squid 2]---->[Origin Server]

To proper cache both, I would need to bump, but that's not available per https://github.com/squid-cache/squid/blob/v3.5/src/FwdState.cc#L813 

What would be the correct way to accomplish that? Tried making the first one to just peek but I still want to allow to cache the responses and not just bypass the connection.
Thanks!

Mauricio






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Caching HTTPS with a parent squid

Amos Jeffries
Administrator
On 2017-12-28 07:53, Mauricio Garavaglia wrote:

> Hello! I have a squid 3.5 caching HTTPS doing BumpSSL, everything
> works ok butI need to add another one as a parent (bigger storage and
> but different SLA...) of the first one, while still allowing it to go
> direct if the parent is not available.
>
> [Client]---->[Squid 1]----->[Squid 2]---->[Origin Server]
>
> To proper cache both, I would need to bump, but that's not available
> per
> https://github.com/squid-cache/squid/blob/v3.5/src/FwdState.cc#L813
>
> What would be the correct way to accomplish that? Tried making the
> first one to just peek but I still want to allow to cache the
> responses and not just bypass the connection.


The way to do this is to use MARK or TOS to label the child proxy
outgoing traffic so routing can send it to the parent proxy where it
gets re-bumped. Both proxies otherwise operate as stand-alone
interceptors.

DO NOT use cache_peer originserver connections between them - while this
can appear to work for some traffic it removes TLS properties needed by
many modern clients.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Caching HTTPS with a parent squid

Mauricio Garavaglia
Thanks for the reply!
I'm not sure I'm following. Are you suggesting to remove cache_peer in the child, use qos_flows to mark the cache miss traffic, and then configure routing policies to direct that to the parent squid? 
Anything I could read to get more info about that approach?


On Thu, Dec 28, 2017 at 12:44 AM, Amos Jeffries <[hidden email]> wrote:
On 2017-12-28 07:53, Mauricio Garavaglia wrote:
Hello! I have a squid 3.5 caching HTTPS doing BumpSSL, everything
works ok butI need to add another one as a parent (bigger storage and
but different SLA...) of the first one, while still allowing it to go
direct if the parent is not available.

[Client]---->[Squid 1]----->[Squid 2]---->[Origin Server]

To proper cache both, I would need to bump, but that's not available
per
https://github.com/squid-cache/squid/blob/v3.5/src/FwdState.cc#L813

What would be the correct way to accomplish that? Tried making the
first one to just peek but I still want to allow to cache the
responses and not just bypass the connection.


The way to do this is to use MARK or TOS to label the child proxy outgoing traffic so routing can send it to the parent proxy where it gets re-bumped. Both proxies otherwise operate as stand-alone interceptors.

DO NOT use cache_peer originserver connections between them - while this can appear to work for some traffic it removes TLS properties needed by many modern clients.

Amos


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users