I have a squid hierarchy consisting of a pair of load-balanced siblings and a parent that sits on the security perimeter. All three caches are configured to use cache digests. Load balancing is accomplished using a proxy.pac file that defines a simple hashing algorithm that selects one of the load-balanced siblings to service the request. To address the case where the selected sibling might be unavailable, the its sibling is defined as an alternate. There are approximately 80 locations in our corporate wide area network. The Squid hierarchy, described above, is located at my facility and it serves, primarily, only systems on the local area network. What I would like to happen is the following. (1) If the web site is located in my facility, I want the siblings to access the web site directly. (2) If the web site is connected to our corporate wide area network, I want the siblings to check each others cache for the URI and go directly the the web site if the content has not been cached. (3) If the web site is external to our corporate wide area network, I want the siblings to forward the request to the parent cache if the content has not been cached by the other sibling. Configuring squid to use the cache digest appears to solve the problem of checking whether or not the content has already been cached. It does have the effect of eliminating most of the ICP traffic. I've defined the following acls. (1) acl GDAIS_CATO dstdomain .cato.gd-ais.com (2) acl GDAIS_WAN dstdomain .gd-ais.com acl GDAIS_WAN dst 166.16.0.0/16 And, I have the following defined. (1) always_direct allow GDAIS_CATO (2) never_direct deny GDAIS_WAN never_direct allow all This appears to achieve my goals with the exception of the one internal location that insists on using IP addresses. They started doing this because their DNS servers wouldn't resolve the domain names correctly due to configuration errors. The problem that I am having is that HTTP requests that use an IP address are being forwarded to the parent cache. Can you not combine "dstdomain" and "dst" in the same acl? How does Squid process a request that uses an IP address? http://166.16.x.y/whatever/ Merton Campbell Crockett -- BEGIN: vcard VERSION: 3.0 FN: Merton Campbell Crockett ORG: General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet: mcc@xxxxxxxxxxxxxxx TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg: +1(805)377-6762 END: vcard
