Search squid archive

[squid-users] Problem with cache_peer_domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Squid Cache: Version 2.5.STABLE9

My local squid uses a parent proxy passing the login credentials to it:

    cache_peer frd-proxy parent 8080 3130 login=PASS no-query

For one special application (exchange data with "elster") this does not work
because of the logon procedure. I tried to solve it using ACLs and
cache_peer_domain.

   cache_peer frd-proxy parent 8080 3130 login=PASS no-query
   cache_peer frd-proxy-nologon parent 8080 3130 login=name:topsecret
no-query

The application should not logon to the local proxy and use the second
parent "frd-proxy-nologon"

   cache_peer_domain    frd-proxy-nologon    BOE-ELSTER
   cache_peer_domain    frd-proxy            !BOE-ELSTER

   acl BOE-ELSTER             dst  80.146.179.0/255.255.255.0
   acl BOE-ELSTER             dst  193.109.238.0/255.255.255.0
   http_access allow BOE-ELSTER

Unfortunately this does not work. access.log shows that the application
contacts the wrong proxy "frd-proxy" instead of "frd-proxy-nologon":

1111588597.594    696 10.23.5.205 TCP_MISS/407 1299 POST
http://80.146.179.3/Elster2/EMS - FIRST_UP_PARENT/frd-proxy text/html
1111588598.154    543 10.23.5.205 TCP_MISS/407 1299 POST
http://193.109.238.58/Elster2/EMS - FIRST_UP_PARENT/frd-proxy text/html
1111588598.815    649 10.23.5.205 TCP_MISS/407 1299 POST
http://193.109.238.59/Elster2/EMS - FIRST_UP_PARENT/frd-proxy text/html
1111588599.132    304 10.23.5.205 TCP_MISS/407 1299 POST
http://80.146.179.2/Elster2/EMS - FIRST_UP_PARENT/frd-proxy text/html


Debugging shows that the ACL BOE-ELSTER is working well:

2005/03/23 09:36:36| aclCheck: checking 'http_access allow BOE-ELSTER'
2005/03/23 09:36:36| aclMatchAclList: checking BOE-ELSTER
2005/03/23 09:36:36| aclMatchAcl: checking 'acl BOE-ELSTER             dst
80.146.179.0/255.255.255.0'
2005/03/23 09:36:36| The request POST http://80.146.179.3:80/Elster2/EMS is
ALLOWED, because it matched 'BOE-ELSTER'
2005/03/23 09:36:37| aclCheck: checking 'http_access allow BOE-ELSTER'
2005/03/23 09:36:37| aclMatchAclList: checking BOE-ELSTER
2005/03/23 09:36:37| aclMatchAcl: checking 'acl BOE-ELSTER             dst
80.146.179.0/255.255.255.0'
2005/03/23 09:36:37| The request POST http://193.109.238.58:80/Elster2/EMS
is ALLOWED, because it matched 'BOE-ELSTER'
2005/03/23 09:36:38| aclCheck: checking 'http_access allow BOE-ELSTER'
2005/03/23 09:36:38| aclMatchAclList: checking BOE-ELSTER
2005/03/23 09:36:38| aclMatchAcl: checking 'acl BOE-ELSTER             dst
80.146.179.0/255.255.255.0'
2005/03/23 09:36:38| The request POST http://193.109.238.59:80/Elster2/EMS
is ALLOWED, because it matched 'BOE-ELSTER'
2005/03/23 09:36:38| aclCheck: checking 'http_access allow BOE-ELSTER'
2005/03/23 09:36:38| aclMatchAclList: checking BOE-ELSTER
2005/03/23 09:36:38| aclMatchAcl: checking 'acl BOE-ELSTER             dst
80.146.179.0/255.255.255.0'
2005/03/23 09:36:38| The request POST http://80.146.179.2:80/Elster2/EMS is
ALLOWED, because it matched 'BOE-ELSTER'


Why does it use the wrong proxy?


Werner Rost
GMT-FIR - Netzwerk
 
ZF Boge Elastmetall GmbH
Friesdorfer Str. 175, 53175 Bonn, Deutschland/Germany
Telefon/Phone +49 228 3825 - 420
Telefax/Fax +49 228 3825 - 398
werner.rost@xxxxxx


>-----Ursprüngliche Nachricht-----
>Von: Henrik Nordstrom [mailto:hno@xxxxxxxxxxxxxxx] 
>Gesendet: Samstag, 5. März 2005 03:47
>An: Rost Werner ZFBE GMT-ISN
>Cc: squid-users@xxxxxxxxxxxxxxx
>Betreff: Re: [squid-users] Parent
>
>
>On Fri, 4 Mar 2005 Werner.Rost@xxxxxx wrote:
>
>> And now we have to avoid auth. on the parent for this URL. I need a 
>> construct like
>>   if NOLOGON then cache_peer parent-proxy parent 8080 3130 
>> login=user:secret no-query
>>
>> which replaces "login=PASS" by a fixed username:password.
>>
>> How can we do this? Is it possible?
>
>Yes. You only need to use two different names for the same parent, and 
>cache_peer_access to control what is sent "where".
>
>> Another posibility would be to define a second parent say
>>   cache_peer parent-proxy-1 parent 8080 3130 login=user:secret 
>> no-query
>>
>> and connect this URL to this second proxy, say:
>>   if NOLOGON then use parent-proxy-1
>>
>> How can we do this? Is it possible?
>
>same thing.
>
>Squid does not care if the two peers is the same proxy or two 
>different 
>proxies. All it cares is that it thinks it is two different 
>proxies (by 
>having different names in the cache_peer directive).
>
>Regards
>Henrik
>
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux