Squid 4.0.18 question about directives

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 4.0.18 question about directives

Imaginovskiy
Hi All,

I'm in the process of upgrading some clients to the latest squid proxy version. Coming from version 3.5 I used to specify backends in squid.conf as follows;

cache_peer site1.domain.com parent 443 0 no-query originserver name=server_site1 ssl proxy-only front-end-https=on login=PASS
cache_peer_domain server_site1 site1.domain.com

cache_peer site2.domain.com parent 443 0 no-query originserver name=server_site2 ssl proxy-only front-end-https=on login=PASS
cache_peer_domain server_site2 site2.domain.com

But in Squid 4 it looks a little confusing, cache_peer_domain is superseded by cache_peer_access but looking at the documentation it looks like cache_peer_access isn't quite the same as cache_peer_domain. So I ended up looking neighbour_type_domain which looks like what I want, so I've configured as following;

cache_peer site1.domain.com parent 443 0 no-query originserver name=server_site1 login=PASS ssl front-end-https=on
neighbor_type_domain server_site1 site1.domain.com

cache_peer site2.domain.com parent 443 0 no-query originserver name=server_site2 login=PASS ssl front-end-https=on
neighbor_type_domain server_site2 site2.fotechsolutions.com

Which seems ok, but what I end up seeing is site1.domain.com is proxied correctly, but when browsing for site2.domain.com I end up loading site1.domain.com, am I missing something in this new version?
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.0.18 question about directives

Amos Jeffries
Administrator
On 24/02/2017 12:23 a.m., Imaginovskiy wrote:

> Hi All,
>
> I'm in the process of upgrading some clients to the latest squid proxy
> version. Coming from version 3.5 I used to specify backends in squid.conf as
> follows;
>
> cache_peer site1.domain.com parent 443 0 no-query originserver
> name=server_site1 ssl proxy-only front-end-https=on login=PASS
> cache_peer_domain server_site1 site1.domain.com
>
> cache_peer site2.domain.com parent 443 0 no-query originserver
> name=server_site2 ssl proxy-only front-end-https=on login=PASS
> cache_peer_domain server_site2 site2.domain.com
>
> But in Squid 4 it looks a little confusing, cache_peer_domain is superseded
> by cache_peer_access but looking at the documentation it looks like
> cache_peer_access isn't quite the same as cache_peer_domain.

The syntax is a little different, but the *_domain behaviour is easily
replicated. If you want anything more you can add it easily to the
*_access rules.

The equivalent to your old config is this (which works in Squid-3 as
well, so you can test before the upgrade):

 cache_peer site1.domain.com parent 443 0 no-query originserver \
    name=server_site1 ssl proxy-only front-end-https=on login=PASS

 acl site1 dstdomain site1.domain.com
 cache_peer_access server_site1 allow site1
 # http_access allow site1


 cache_peer site2.domain.com parent 443 0 no-query originserver \
    name=server_site2 ssl proxy-only front-end-https=on login=PASS

 acl site2 dstdomain site1.domain.com
 cache_peer_access server_site2 allow site2
 # http_access allow site2



If you don't need this config to load in Squid-3 anymore I suggest
adding tls-cafile= option with the public cert of the root CA that
signed that peers cert. Then you can use tls-default-ca=off which will
protect against any problems with the irrelevant 'globally trusted' CAs
affecting your peer traffic.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users