Search squid archive

Problem with fail over to parents

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello !

I have problems on a squid3 with parent fail over.

The installation has the following layout.
client --> internal-proxy --> external-proxy (2 instances parent-1 and
parent-2) --> internet

The client is a bussiness application with demand to communicate to
distinct partners on the internet.
The internal proxy implements a white list filtering for allowed urls.
The external proxies are sitting in a network zone with access to the
internet. They are located in 2 different computing centers with
dedicated internet connections.


Everything is well, if both parents are running. The whole traffic is
routed to parent-1 (sitting in the same computing center).

If I shut down parent-1 no fail over to parent-2 happens.
I can track down the problem (debug 15,9) to the following log statements:

2009/12/03 22:36:01.920| getFirstUpParent: returning
192.168.253.17                     # should be dead
2009/12/03 22:36:01.920| peerGetAllParents: adding alive parent
192.168.253.17   # should be dead
2009/12/03 22:36:01.920| peerGetAllParents: adding alive parent
192.168.253.18   # running

The access log says that the requests are still handled by
FIRST_UP_PARRENT: TCP_MISS:FIRST_UP_PARENT
The result is a 503: X-Squid-Error: ERR_CONNECT_FAIL 111

The squid.conf follows below.

Has anybody a hint?

Best regards,

H.-Dirk Schmitt

======================================================
squid.conf:
# bind to network interface and port
http_port 192.168.1.xxx:10028
icp_port 0
snmp_port 0

# cache dir
cache_dir ufs /opt/squid/proxy-internal/squid-cache 512 16 255

# log files
cache_access_log /opt/squid/proxy-internal/logs/access.log
cache_log        /opt/squid/proxy-internal/logs/cache.log
cache_store_log  /opt/squid/proxy-internal/logs/store.log

logfile_rotate 30 # keep 30 files, rotated daily via crontab

# pid file
# not used by amt, generates equivalent pid
pid_filename /opt/squid/proxy-internal/squid.pid

# for logging, error pages, ...
visible_hostname XXXXX320-prod

# access log in common format
# Client Ident - [Timestamp1] "Method URI" Type Size
emulate_httpd_log on


# email in error pages
cache_mgr service-desk@xxxxxxxxxxxxxxxxxxxxx

# -----------------------------------------------
# DEBUGGING OUTPUT
debug_options 15,9


# -----------------------------------------------
# common acl definitions
# acl all src 0.0.0.0/0.0.0.0 --> internaly defined
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localhost src 192.168.1.139/255.255.255.255

acl CLIENTS src 192.168.1.139/255.255.255.255
acl CLIENTS src 127.0.0.1/255.255.255.255
acl CLIENTS src 192.168.1.126/32


acl ORG_INTERN dst 192.168.0.0/255.255.0.0 xxx.xxx.xxx.0/255.255.255.0

acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl PURGE method PURGE
acl MANAGER proto cache_object

# disabling caching
cache deny all

# route traffic to bvzs internal destinations ip direct
never_direct  allow !ORG_INTERN
always_direct allow  ORG_INTERN


# parent caches for external traffic
cache_peer 192.168.253.17 parent xxx28 xxx30 proxy-only no-query
name=parent-1
cache_peer 192.168.253.18 parent xxx28 xxx30 proxy-only no-query 
name=parent-2

netdb_ping_period 1 minutes

dead_peer_timeout 10 seconds

# deny proxy access for internal traffic
cache_peer_access parent-1 deny ORG_INTERN
cache_peer_access parent-2 deny ORG_INTERN


# block CONNECT for other as SSL ports
# not possible becaus of mcft protol
#http_access deny CONNECT !SSL_Ports

# cachemgr should be restricted to localhost
http_access allow MANAGER localhost
http_access deny MANAGER

# purge should be restricted to localhost
http_access allow PURGE localhost
http_access deny  PURGE

http_access deny !CLIENTS

# whitelist checker
external_acl_type whiteExternal children=10 %DST %PORT
/opt/squid/proxy-internal/etc/squid/whiteExternal
acl whiteExternal external whiteExternal
http_access allow whiteExternal

# url rewriter
url_rewrite_program /opt/squid/proxy-internal/etc/squid/internalMapper
url_rewrite_children 10

# allow replies from all
http_reply_access allow all


-- 
------------------------------------------------------------------------

*
H.-Dirk Schmitt <http://www.computer42.org> *
Dipl. Math.

eMail:/dirk.schmitt@xxxxxxxxxxxxxx/
mobile:/+49 177 616 8564/
phone: /+49 2642 99 41 10/
fax: /+49 2642 99 41 15/

Kripper Str. 35, D-53489 Sinzig
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux