On 24/02/2017 12:23 a.m., Imaginovskiy wrote:
> Hi All,
>
> I'm in the process of upgrading some clients to the latest squid proxy
> version. Coming from version 3.5 I used to specify backends in squid.conf as
> follows;
>
> cache_peer site1.domain.com parent 443 0 no-query originserver
> name=server_site1 ssl proxy-only front-end-https=on login=PASS
> cache_peer_domain server_site1 site1.domain.com
>
> cache_peer site2.domain.com parent 443 0 no-query originserver
> name=server_site2 ssl proxy-only front-end-https=on login=PASS
> cache_peer_domain server_site2 site2.domain.com
>
> But in Squid 4 it looks a little confusing, cache_peer_domain is superseded
> by cache_peer_access but looking at the documentation it looks like
> cache_peer_access isn't quite the same as cache_peer_domain.
The syntax is a little different, but the *_domain behaviour is easily
replicated. If you want anything more you can add it easily to the
*_access rules.
The equivalent to your old config is this (which works in Squid-3 as
well, so you can test before the upgrade):
cache_peer site1.domain.com parent 443 0 no-query originserver \
name=server_site1 ssl proxy-only front-end-https=on login=PASS
acl site1 dstdomain site1.domain.com
cache_peer_access server_site1 allow site1
# http_access allow site1
cache_peer site2.domain.com parent 443 0 no-query originserver \
name=server_site2 ssl proxy-only front-end-https=on login=PASS
acl site2 dstdomain site1.domain.com
cache_peer_access server_site2 allow site2
# http_access allow site2
If you don't need this config to load in Squid-3 anymore I suggest
adding tls-cafile= option with the public cert of the root CA that
signed that peers cert. Then you can use tls-default-ca=off which will
protect against any problems with the irrelevant 'globally trusted' CAs
affecting your peer traffic.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
