Steve Brown wrote:
> Matus UHLAR - fantomas wrote:
>
>> with acl.
>>
>> note that https can't be cached, so it has only value if:
>> 1. your clients can't connect to the proxy1
>> 2. your proxy can't connect to the internet
>> (if both these are true)
>
>
>
> Ok thanks. I probably didn't give enough detail originally.
>
> I actually want to _always_ send http to Proxy1, and _always_ send
> httpS requests to Proxy2.
>
> The users connect to a downstream non-caching content-checking Proxy.
> I'll have a go at an ascii diagram:
>
> --------
> -------| Proxy2 |----------\ HTTPS
> ------ | -------- \------- -------------
> | Inet |---+ | Squid |-----| non-caching |
> ------ | -------- /------- -------------
> -------| Proxy1 |----------/ HTTP |
> -------- |
> ---------
> | Users |
> ---------
>
> Users are authenticated on the non-caching proxy which is a
> content-checking box. It send requests to its upstream proxy - the
> Squid cache - on a single port 80.
>
> I need Squid to break out HTTPS traffic one way, and plain HTTP
> traffic another way and _always_ feed each to a different upstream.
> Proxy 1 is an active-code stripper and Proxy 2 SSL
> termination/content-checking box.
>
> Can I still do this with an ACL and the peer_cache_access + url_regex?
>
> I was thinking of something like:
>
> acl http_traffic url_regex "^http://*"
> acl ssl_traffic url_regex "^https://*"
> cache_peer Proxy1.domain parent 80 0 no-query
> cache_peer Proxy1.domain parent 80 0 no-query
> cache_peer_access Proxy1.domain allow http_traffic
> cache_peer_access Proxy2.domain allow ssl_traffic
>
We had troubles with some secure connections because
they are being balancing through farm proxys and dowstream proxys,
and the session was lost some times,
The solution was direct all secure connections for the same path:
acl SEGURAS method CONNECT
cache_peer proxy.domain parent 8080 0 default no-query
cache_peer secure-proxy.domain parent 8080 0 no-query
cache_peer_access secure-proxy.domain allow SEGURAS
cache_peer_access proxy.domain deny SEGURAS
Emilio C.
Received on Tue Nov 16 2004 - 05:02:54 MST
This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST