Hi again, I must admit I am still a bit uncomfortable with access rules and other things in reverse proxy... Here's my conf again: +---> Squid1 ---> Apache1 | | Internet ---+---> Squid2 ---> Apache3 | . | . +---> Squid<N> ---> Apache<N> Each squid is a reverse proxy for one apache listening on an external IP. Squid (port 80) and apache (port 8080) are both on the same server for now. All squids are proxy-only siblings on an internal IP. Basicaly, I want the following: client ask squid. If it is a miss, squid ask siblings in proxy-only (in order not to cache the same objects N times through the N squids). Here are the confusing parts of the confs: Common to all confs: acl from_localnet src 192.168.0.0/16 # Internal IPs icp_access allow from_localnet icp_access deny all #miss_access deny from_localnet # Do I need this miss? acl to_examplecom dstdomain .example.com http_access allow to_examplecom squid1.conf: http_port <EXTIP1>:80 accel defaultsite=www.example.com vhost #https_port <EXTIP1>:3129 defaultsite=www.example.com cert=squid.pem key=squid.key cache_peer <EXTIP1> parent 8080 0 no-query originserver max-conn=64 name=apache1 front-end-https=auto cache_peer <INTIP2> sibling 80 3130 proxy-only name=squid2 ... cache_peer <INTIPN> sibling 80 3130 proxy-only name=squidN cache_peer_access apache1 allow to_examplecom cache_peer_access apache1 deny all squid2.conf: http_port <EXTIP2>:80 accel defaultsite=www.example.com vhost #https_port <EXTIP2>:3129 defaultsite=www.example.com cert=squid.pem key=squid.key cache_peer <EXTIP2> parent 8080 0 no-query originserver max-conn=64 name=apache2 front-end-https=auto cache_peer <INTIP1> sibling 80 3130 proxy-only name=squid1 ... cache_peer <INTIPN> sibling 80 3130 proxy-only name=squidN cache_peer_access apache2 allow to_examplecom cache_peer_access apache2 deny all .... squidN.conf: http_port <EXTIP3>:80 accel defaultsite=www.example.com vhost #https_port <EXTIPN>:3129 defaultsite=www.example.com cert=squid.pem key=squid.key cache_peer <EXTIPN> parent 8080 0 no-query originserver max-conn=64 name=apacheN front-end-https=auto cache_peer <INTIP1> sibling 80 3130 proxy-only name=squid1 cache_peer <INTIP2> sibling 80 3130 proxy-only name=squid2 ... cache_peer <INTIP[N-1]> sibling 80 3130 proxy-only name=squid[N-1] cache_peer_access apacheN allow to_examplecom cache_peer_access apacheN deny all Questions: 1. Anything wrong in the confs above? Do I need some cache_peer_access for the siblings communication? 3. If squids sits right next to the apaches (on a gigabit switch), can I not use digests? 4. If I want to handle "leeches" (using wrong referer) with a redirector script, would the following work? acl examplecom_referer referer_regex example.com url_rewrite_program handleleech.php url_rewrite_children 5 url_rewrite_concurrency 0 url_rewrite_host_header off # Do I need this for a reverse proxy? url_rewrite_access allow !examplecom_referer url_rewrite_access deny all The redirector, based on some internal rules, will either send back a 302 or the document URL... 5. If I want the apaches to tell squid to cache for 1 week and squids to tell clients to cache for 1 month, can I just use header_replace like these? header_replace Expires Sun Jan 1 00:00:00 CET 2012 header_replace Cache-Control max-age=2678400 Or is it refresh_pattern with override-expire and override-lastmod? 6. Is there a way to prevent <shift>-reload from making squid ask apache when the object is still in its cache...? Something like that? refresh_pattern 0 0% 0 ignore-reload Thank you, JD