Search squid archive

Re: [squid-users] [suiqd-2.7STABLE6-1]Problem RPC via HTTPS‏ [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hdyugoplastika hdyugoplastika wrote:


I have solved!!!
There was one error in rpc client side(mine stupid type of error on user) and this is the final configuration(with loadbalance on cache_peer): 

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl QUERY urlpath_regex cgi-bin \?
acl QUERY urlpath_regex ARSystem.css
acl QUERY urlpath_regex LocalizedMessages_it.js

no_cache deny QUERY

acl xxxx src 192.168.55.0/24
acl xxxx src 10.221.121.0/24
acl easy_bb src xxx.xxx.64.0/19
acl easy_bb src xxx.xxx.224.0/19
acl easy_bb src xxx.xxx.16.0/20
acl easy_bb src xxx.xxx.81.0/24
acl easy_bb src xxx.xxx.87.0/24
acl easy_bb src xxx.xxx.26.0/24
acl easy_bb src xxx.xxx.144.0/20
acl easy_bb src xxx.xxx.240.0/20

acl access_mail urlpath_regex -i "/etc/squid/users/access_mail.txt"
acl access_url url_regex -i "/etc/squid/url_valid.txt"

acl acl_pfa dstdomain webmail.XXXxxx.it

http_access deny easy_bb

http_access allow xxxx
http_access allow access_mail
http_access allow access_url

http_access allow localhost
http_access deny all

http_reply_access allow all

icp_access allow all

ssl_unclean_shutdown on

http_port 80 transparent

https_port 10.223.247.201:443 accel vhost cert=/etc/squid/cert/wm.XXXxxx.it.cert key=/etc/squid/cert/wm.XXXxxx.it.private.key cafile=/etc/squid/cert/cafile.cert defaultsite=webmail.XXXxxx.it

cache_peer mi1exprom1.nf.xxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver login=PASS
cache_peer mi2exprom2.nf.xxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver login=PASS
cache_peer mi1exprom2.nf.xxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver login=PASS
cache_peer mi2exprom1.nf.xxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver login=PASS



As per my original statement: do not use sourcehash round-robin

Why?  because they are competing methods of selection:
sourcehash - ensure that every client IP is softly 'tagged' to a certain peer for all of its requests.
round-robin - ensure that a different server peer is chosen on every single request.
Bad things occur if this is gotten wrong. Constant login popups are not unusual with RPC/OWA mistakes. 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux