Re: [squid-users] problem using squid as proxy server to load balance reverse-proxies

From: Sri Rao <sri_at_cloudflare.com>
Date: Thu, 10 Feb 2011 22:25:16 -0800

Hi Amos,

Thanks for the quick reply!

>>
>> I am trying to setup squid as a ssl proxy to load balance btwn
>> reverse-proxies.  I believe the config is right but what is happening
>
> What you have setup is a forward proxy load balancer which only permits
> management and binary-over-HTTP tunneled traffic from its localhost machine
> IP.

That is actually what I want. I want to do binary-over-HTTP from the
localhost to the reverse-proxy servers. When the forward proxy tries
to connect to the origin server directly it does a tunnelConnect but
even though I have set originserver for the cache_peers it seems to
just forward the CONNECT instead of doing a tunnelConnect. I thought
originserver should force squid to treat the cache_peers as if they
were web servers?

>
>> is that squid gets the CONNECT request and connects to the reverse
>> servers on the right port but forwards the CONNECT request instead of
>> connecting to them as the originserver.  I am pasting the config as it
>> is right now.  I am using localhost as test reverse proxies just for
>> testing.  It Also doesn't seem to be failing to the next peer when the
>> first one it selects either returns an error(http error code or
>> connection failure) and I have retry_on_error.
>
> This would be an artifact of the special handling CONNECT requests have.
>
> Your goal of having an SSL proxy directly opposes the use of CONNECT. Since
> CONNECT is a binary-over-HTTP tunnel.
>
> I suggest going back to your first stated criteria "setup squid as a ssl
> proxy" and getting that going.

I would rather not have to maintain certs as I will have several of
these squid proxies.

> This means using the https_port directive (NOT the http_port!!). With a
> server SSL certificate. Squid will then be an SSL proxy.
>  * Problem 2 is then how to get browsers etc to send traffic to it.
>
> Since your third criteria is to pass traffic to reverse proxies it implies
> that this is to be a front-end reverse-proxy itself.
>  If that is correct, then setup the https_port with the reverse-proxy accel
> options. And do a standard reverse-proxy to two backends configuration.

Thanks for the info...will definitely keep this in mind.

Sri
Received on Fri Feb 11 2011 - 06:25:29 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 11 2011 - 12:00:03 MST