On 28/05/25 04:19, Alex Rousskov wrote:
On 2025-05-27 10:37, Yves MARTIN wrote:
My team expects to transparently rewrite requests through squid,
replacing original URL/hostname by another target URL/host.
Main objective is to redirect original HTTPS requests triggered by
“docker pull alpine” to a local mirrored registry without obvious
information in user client that the obtained image comes from mirror:
original image location is preserved, no specific proxy or mirror
configuration in docker client/daemon to set.
Okay. If I am correctly understanding that your primary goal is to have
the "original ... location is preserved". Then please discard the terms
"transparent" and "redirect" from your thoughts on this matter. They
both introduce requirements that break what you are wanting.
To operate a mirror that can be used in place of an origin server. That
mirror needs to be configured to both receive and understand the URLs
produced by that origin server.
After which Squid simply uses the mirror as cache_peer to handle the
traffic for the domain(s) that origin server provides. Like so:
# define what can go to the mirror
acl foo dstdomain foo.example.com
# how to contact the mirror
cache_peer mirror.server 80 0 originserver
cache_peer_access allow foo
cache_peer_access deny all
If the mirror only knows its local mirror domain instead of the origin
servers public domain. Then use the cache_peer option
"forceddomain=mirror-foo.example.com".
( Whether you URL-rewrite the path and query details before sending it
to the mirror cache_peer is up to you. Just be aware that it is quite
dangerous to do on a domain where you do not fully understand the
meaning of those URL parts. YHBW. I advise not doing so.)
For the HTTPS, the complications are that:
1) you add another cache_peer with port 443. Same ACL setup.
2) Squid must receive the TLS traffic via:
a) "https_port 443 accel ..."
with local network routing client requests for the foo.example.com
domain/IPs to this Squid listening port.
OR/AND,
b) SSL-Bump intercept of client CONNECT requests. Like so:
# using 'foo' dstdomain ACL(s) from cache_peer_access rule(s)
http_access allow CONNECT foo
# same domains listed in 'foo' ACL(s)
# but checking TLS ServerName instead of URL domain.
acl fooS ssl::server_name ...
# or peek, YMMV. I just think stare is better for this use-case.
ssl_bump stare atStep1
# decrypt so we can decide whether URLs go to mirror or origin
ssl_bump bump atStep2 fooS
# pass anything else to origin untouched
ssl_bump splice atStep2 !fooS
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
