Chacha is an HTTP caching proxy aimed to speed-up cache retrieval operations for Cirrus Runners and VM image fetches through OCI for Tart.
It can store cached entries on local disk with bounded size and work in cluster mode to store cache entries on other Chacha nodes (sharding) to increase the overall storage capacity.
Chacha supports TLS interception to handle HTTPS requests that normally utilize the CONNECT method to connect to the target HTTPS server.
Chacha tries to build on:
With the following exceptions:
- Chacha is always validating: latency is traded for simplicity and security
- For certain URLs, you can specify
rulesto override the default standard-like behavior, for example, you can:- ignore the existence of
Authorizationheader in the request for caching purposes - skip certain URL parameters (e.g.
X-Amz-Datein S3 pre-signed URLs) from the cache key for caching purposes
- ignore the existence of
Can be implicit (:8080, non-cluster mode only) or explicit (127.0.0.1:8080, normal and cluster modes).
addr(string, required)
addr: 127.0.0.1:8080Enables caching of HTTP response bodies on local disk, with an optional limit after which evictions will occur.
disk(mapping, optional)dir(string, required) — directory in which cache entries will be storedlimit(string, required) — limit (e.g.50GB) after which Chacha will start dropping the least recently accessed entries to free up the space
disk:
dir: /chacha
limit: 50GBTLS interceptor functionality allows Chacha to support CONNECT method, which is usually what proxy clients use to establish the connection with an HTTPS server.
TLS interceptor configuration requires a CA certificate and a key, both of which can be generated using OpenSSL:
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj "/CN=Chacha Proxy Server"tls-interceptor(mapping, optional)cert(string, required) — path to a CA certificate in PEM formatkey(string, required) — path to a CA private key in PEM format
tls-interceptor:
cert: /etc/chacha/root-ca.pem
key: /etc/chacha/root-key.pemOffers an escape hatch for violating RFC specifications for certain URLs.
paths(sequence, optional)pattern(string, required) — regular expression that matches the URL to be proxiedignore-authorization-header(boolean, optional) — whether to ignore the existence ofAuthorizationheader for a given URL request, thus enabling its cachingignore-parameters(sequence of strings, optional) — names of URL parameters to not include in the final cache key
paths:
- pattern: "https:\/\/ghcr.io\/v2\/.*\/blobs\/sha256:[^\/]+"
ignore-authorization-header: true
- pattern: "https:\/\/[^\/]+.r2.cloudflarestorage.com\/.*"
ignore-parameters:
- "X-Amz-Date"
- "X-Amz-Signature"Enabling cluster mode distributes Chacha's cache across multiple nodes.
When enabled, Chacha performs a cache operation by picking a single node from nodes using a rendezvous hashing algorithm with the calculated cache key, and then:
- in case Chacha's own
addris identical to the selected node — it'll use a local disk cache, which will additionally be exposed to other nodes via Chacha's KV protocol - otherwise — Chacha will use a remote disk cache (through Chacha's KV protocol) on the selected node
Structure:
cluster(dict, optional)secret(string, required) — secret token used for authentication and authorization between nodesnodes(sequence of dicts, required) — a list of nodes responsible for storing the cache entriesaddr(string, required) — address of the Chacha node
Example:
addr: 192.168.0.1:8080
cluster:
secret: "AV8B._W.@cr7-n3ZcnBkUtXy7natj.KN"
nodes:
- addr: 192.168.0.2:8080
- addr: 192.168.0.8:8080
- addr: 192.168.0.16:8080chacha run -f config.yaml