Adding squid-dev since this is getting well into policy and development area. > On tis, 2007-10-16 at 16:32 +1300, Amos Jeffries wrote: > >> I've looked at the code and I think this is caused as a side-effect of >> "DEFAULT_IF_NONE: deny all" (@src/cf.data.pre:715) denying the initial >> peer query (@src/htcp.cc:1236) when no other htcp_access are defined but >> a peer is htcp_only. > > Looking. Looks fine. What was the original complaint again? I thought > you had to htcp_access the peer you requested, not the requesting peer.. Squid configured with two HTCP peers and no htcp_access lines kept marking them dead after a short timeout and never recovering them. Simply adding htcp_access allow X, fixed the problem. > The default for all accesses (HTTP, ICP, HTCP, SNMP) is deny unless > allowed. precisely. Simply flagging a peer as htcp is not enough to turn it on. As now documented. > >> I've already updated the .conf docs to clearly point out the htcp_access >> needs to be explicitly configured for htcp peers. > > Just as icp_access needs to be configured for icp peers... > > The difference between the two is that the suggested configuration of > icp_access has an "icp_access allow all" overriding the default, while > htcp_access has the same in a comment only. Personally I consider having > icp_access allow all a mistake and that the htcp style is better, but Hmm, I agree. > both should be changed to have an acl listing the trusted networks > rather than "all". Hmm, good idea. You mean a visible default of both being "X_access deny !localnet" with the backup default of both being "deny all"? Or the backup default of both being the "deny !localnet"? localnet also would consequently need adding to the suggested global acls. Perhapse with the RFC1918 spaces as a good default for localnet. Amos