Squid Users Guide

More Configuration Details	_	_	_
INDEX BACK NEXT	_	_	_

Cache accelerator mode

Accelerator mode is a different operating style where instead of acting as a proxy, Squid acts as an origin web server. Instead of serving up fixed (static) documents, though, it fetches documents from one or more origin servers. It is called an accelerator since it can serve up documents faster than classic httpd servers, which keep all pages on disk and tend to do more computation per request.

Why run an accelerator?

These are some reasons why you might want to run a web accelerator using Squid:

Server performance. Squid performs faster than the original web server, so you would like to make Squid the front end server, and put the original one behind it.
Network performance. The origin server can be on a slow network, such as across international links. A web accelerator or mirror closer to the rest of the Net, physically located in the US for example, will make your web site faster for the rest of the world.
Squid is easier to maintain than a regular httpd since you only have to add pages on the origin server and the mirror will catch up. You might want to put Expires headers in your HTTP responses to make sure that the mirror is not serving stale data.
Anything that requires real intelligence on the part of the web server, such as CGI scripts, will be forwarded on to the origin server.
Security. You can use Squid to hide an internal server, or one is that is prone to attack, behind an accelerator. Web users visiting your site will never touch the internal server. If your web server is vulnerable to data-driven attacks, such as invalid URLs, Squid will either complain about them, or you can set up ACLs to block them off.
One disadvantage is that the origin server will not know the original IP address of the clients, except through the X-Forwarded-For HTTP header. This will affect logging and visitor analysis, as well as document protection access control lists. You might want to move this log analysis to your accelerator instead.

Configuring Squid as an Accelerator

To make Squid run in accelerator mode, set the http_port value to the port number you want it to listen to. This is usually the HTTP port, 80. Note that Squid must initially run as root to be able to bind to port 80.

The next step is to select the origin server you want to accelerate. You can make Squid choose one of three methods of operation:

Accelerate only one origin server. Set httpd_accel origin-host origin-port in the HTTPD-ACCELERATOR OPTIONS section. The origin-host can be any host, or even localhost if the origin web server is on the same machine.
Accelerate many origin servers using virtual host support mode. This assumes that your server has multiple interfaces - Squid will bind to all of them. Specify httpd_accel virtual. This method requires an URL redirector to translate from the IP address the request was received on. Assume that your interfaces are 192.168.0.1 and 192.168.0.2. Squid will give the redirector http://192.168.0.1/ or http://192.168.0.2/, and the redirector should map these IP addresses to the corresponding hosts, say www.domain1.com and www.domain2.com. This script is based on the one given in the Release Notes.
#!/usr/bin/perl $|=1; while (<>) { s@http://192\.168\.0\.1@http://www.domain1.com@; s@http://192\.168\.0\.2@http://www.domain2.com@; print; }
Accelerate many origin servers using the Host header. This conserves IP addresses since only one in needed to handle an unlimited number of hosts. Instead, the client sends the desired hostname in the HTTP/1.1 Host header. However, this relies on the browser supporting that part of the protocol. Older browsers such as Netscape < 2, MSIE < 3, and Lynx < 2.5 did not, and will fall back to the server given in httpd_accel. To turn on this behavior, set httpd_accel_uses_host_header on. Squid will then use the Host header to determine what to use as the origin server.
A redirector is required to translate the specified hostname into the origin server. Otherwise, Squid will try to accelerate itself, which is not very useful. Assuming the original hosts are called www and the accelerator is called www2, this script will do the translation:
#!/usr/bin/perl $|=1; while (<>) { s@http://www2.domain1.com@http://www.domain1.com@; s@http://www2.domain2.com@http://www.domain2.com@; print; }

The comments in squid.conf note that this can be a security hole, since Squid does not check the Host value, and be made to load any arbitrary web object, which is not desirable. To protect against this, create an ACL with the dstdomain keyword that will limit the domains honored by the accelerator. For example:

acl okdomains dstdomain domain1.com domain2.com http_access deny !okdomains http_access allow all