After enabling debug_options 28,3 & 44,3 I can see that Squid is processing my ACLs exactly as I would expect (log dump below). Squid is identifying that requests for my intranet should be going direct and yet I am still receiving a Websense error page, indicating that this is not the case. There is clearly something else going on here that I do not yet understand. Can anyone advise what other factors would influence whether Squid connects directly or through a parent cache? Thanks, Chris Cache.log for a single request for intranet.mydomain.co.uk with debug_options 28,3 44,3: ---------------------------------------------------------------------------------------------------------- 2010/11/18 16:40:27| aclCheck: checking 'http_access allow all' 2010/11/18 16:40:27| aclMatchAclList: checking all 2010/11/18 16:40:27| aclMatchAcl: checking 'acl all src all' 2010/11/18 16:40:27| aclMatchIp: '10.128.210.121' found 2010/11/18 16:40:27| aclMatchAclList: returning 1 2010/11/18 16:40:27| aclCheck: match found, returning 1 2010/11/18 16:40:27| aclCheckCallback: answer=1 2010/11/18 16:40:27| peerSelect: http://intranet.mydomain.co.uk/ 2010/11/18 16:40:27| peerSelectFoo: 'GET intranet.mydomain.co.uk' 2010/11/18 16:40:27| aclCheck: checking 'always_direct allow localdomain' 2010/11/18 16:40:27| aclMatchAclList: checking localdomain 2010/11/18 16:40:27| aclMatchAcl: checking 'acl localdomain dstdomain .mydomain.co.uk' 2010/11/18 16:40:27| aclMatchDomainList: checking 'intranet.mydomain.co.uk' 2010/11/18 16:40:27| aclMatchDomainList: 'intranet.mydomain.co.uk' found 2010/11/18 16:40:27| aclMatchAclList: returning 1 2010/11/18 16:40:27| aclCheck: match found, returning 1 2010/11/18 16:40:27| aclCheckCallback: answer=1 2010/11/18 16:40:27| peerCheckAlwaysDirectDone: 1 2010/11/18 16:40:27| peerSelectFoo: 'GET intranet.mydomain.co.uk' 2010/11/18 16:40:27| peerSelectFoo: direct = DIRECT_YES 2010/11/18 16:40:27| peerSelectCallback: http://intranet.mydomain.co.uk/ 2010/11/18 16:40:27| aclMatchAclList: checking all 2010/11/18 16:40:27| aclMatchAcl: checking 'acl all src all' 2010/11/18 16:40:27| aclMatchIp: '10.128.210.121' found 2010/11/18 16:40:27| aclMatchAclList: returning 1 2010/11/18 16:40:27| aclCheck: checking 'http_reply_access allow all' 2010/11/18 16:40:27| aclMatchAclList: checking all 2010/11/18 16:40:27| aclMatchAcl: checking 'acl all src all' 2010/11/18 16:40:27| aclMatchIp: '10.128.210.121' found 2010/11/18 16:40:27| aclMatchAclList: returning 1 2010/11/18 16:40:27| aclCheck: match found, returning 1 2010/11/18 16:40:27| aclCheckCallback: answer=1 ---------------------------------------------------------------------------------------------------------- On 18 November 2010 08:14, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 18/11/10 08:35, Chris Gallacher wrote: >> >> Hello, >> >> I am experiencing issues when trying to configure Squid to bypass my >> companies parent proxy for local hosts. My configuration is as >> follows: >> >> (User Facing Proxy - Squid)<-> (Parent Proxy - Squid)<-> (Parent >> Proxy - Websense) >> >> Both of the Squid proxies are running squid-2.7.STABLE8 on Windows >> Server 2003 SP2 boxes. >> >> Config file for user facing proxy (Stripped to bare essentials for >> troubleshooting): >> >> ------------------------------------------------------------------------------------------------------------------ >> cache_peer parentproxy.mydomain.co.uk parent 8082 0 login=PASS >> connection-auth=on >> append_domain .mydomain.co.uk >> >> acl all src all >> acl localdomain dstdomain .mydomain.co.uk >> acl localip dst 10.0.0.0/8 >> >> always_direct allow localdomain >> always_direct allow localip >> never_direct allow all >> http_access allow all >> >> ------------------------------------------------------------------------------------------------------------------- >> >> When trying to access intranet.mydomain.co.uk I would expect Squid to >> match this request with the first, and if not the second, of the >> always_direct access lists and connect directly to the internal web >> server, presenting me with my companies main intranet page. Instead I >> am presented with a Websense "Page cannot be displayed" error, >> indicating that the request was in fact forwarded to the Squid parent >> proxy and then on to Websense. >> >> As you may have guessed I am new to Squid, and to Proxy servers in >> general. If anyone can provide advice regarding where I have went >> wrong with my configuration or which debug sections would best help me >> to understand how requests are being processed by Squid your >> assistance would be greatly appreciated. > > > That first line should be matching. IIRC "debug_options 28,3 44,3" will tell > you what is going on. > > > You could also use these this instead of your never_direct line: > > cache_peer_access parentproxy.mydomain.co.uk deny localdomain > cache_peer_access parentproxy.mydomain.co.uk deny localip > never_direct allow !localdomain !localip > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.9 > Beta testers wanted for 3.2.0.3 >
