Hi again,
I must admit I am still a bit uncomfortable with access rules and other things
in reverse proxy...
Here's my conf again:
+---> Squid1 ---> Apache1
| |
Internet ---+---> Squid2 ---> Apache3
| .
| .
+---> Squid<N> ---> Apache<N>
Each squid is a reverse proxy for one apache listening on an external IP.
Squid (port 80) and apache (port 8080) are both on the same server for now.
All squids are proxy-only siblings on an internal IP.
Basicaly, I want the following: client ask squid. If it is a miss, squid ask
siblings in proxy-only (in order not to cache the same objects N times through
the N squids).
Here are the confusing parts of the confs:
Common to all confs:
acl from_localnet src 192.168.0.0/16 # Internal IPs
icp_access allow from_localnet
icp_access deny all
#miss_access deny from_localnet # Do I need this miss?
acl to_examplecom dstdomain .example.com
http_access allow to_examplecom
squid1.conf:
http_port <EXTIP1>:80 accel defaultsite=www.example.com vhost
#https_port <EXTIP1>:3129 defaultsite=www.example.com cert=squid.pem
key=squid.key
cache_peer <EXTIP1> parent 8080 0 no-query originserver max-conn=64
name=apache1 front-end-https=auto
cache_peer <INTIP2> sibling 80 3130 proxy-only name=squid2
...
cache_peer <INTIPN> sibling 80 3130 proxy-only name=squidN
cache_peer_access apache1 allow to_examplecom
cache_peer_access apache1 deny all
squid2.conf:
http_port <EXTIP2>:80 accel defaultsite=www.example.com vhost
#https_port <EXTIP2>:3129 defaultsite=www.example.com cert=squid.pem
key=squid.key
cache_peer <EXTIP2> parent 8080 0 no-query originserver max-conn=64
name=apache2 front-end-https=auto
cache_peer <INTIP1> sibling 80 3130 proxy-only name=squid1
...
cache_peer <INTIPN> sibling 80 3130 proxy-only name=squidN
cache_peer_access apache2 allow to_examplecom
cache_peer_access apache2 deny all
....
squidN.conf:
http_port <EXTIP3>:80 accel defaultsite=www.example.com vhost
#https_port <EXTIPN>:3129 defaultsite=www.example.com cert=squid.pem
key=squid.key
cache_peer <EXTIPN> parent 8080 0 no-query originserver max-conn=64
name=apacheN front-end-https=auto
cache_peer <INTIP1> sibling 80 3130 proxy-only name=squid1
cache_peer <INTIP2> sibling 80 3130 proxy-only name=squid2
...
cache_peer <INTIP[N-1]> sibling 80 3130 proxy-only name=squid[N-1]
cache_peer_access apacheN allow to_examplecom
cache_peer_access apacheN deny all
Questions:
1. Anything wrong in the confs above? Do I need some cache_peer_access for the
siblings communication?
3. If squids sits right next to the apaches (on a gigabit switch), can I not
use digests?
4. If I want to handle "leeches" (using wrong referer) with a redirector
script, would the following work?
acl examplecom_referer referer_regex example.com
url_rewrite_program handleleech.php
url_rewrite_children 5
url_rewrite_concurrency 0
url_rewrite_host_header off # Do I need this for a
reverse proxy?
url_rewrite_access allow !examplecom_referer
url_rewrite_access deny all
The redirector, based on some internal rules, will either send back a 302 or
the document URL...
5. If I want the apaches to tell squid to cache for 1 week and squids to tell
clients to cache for 1 month, can I just use header_replace like these?
header_replace Expires Sun Jan 1 00:00:00 CET 2012
header_replace Cache-Control max-age=2678400
Or is it refresh_pattern with override-expire and override-lastmod?
6. Is there a way to prevent <shift>-reload from making squid ask apache when
the object is still in its cache...? Something like that?
refresh_pattern 0 0% 0 ignore-reload
Thank you,
JD
