On 27/05/11 02:36, Stephan HÃgel wrote:
Squid-2.x is not being maintained.
Squid-3.1.12 and later releases have the fix.
OK, I've built and installed Squid 3.1.12, run squid3 -k parse, and removed the
'acl all src all' and 'upgrade_http0.9 deny shoutcast' entries, as
these were causing errors. Conf is now:
# acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.10.10.0/24 # RFC1918 possible internal networkacl
SSL_ports port 443 # https
acl SSL_ports port 563 # snewsacl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
# upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
# broken_vary_encoding allow apache
hosts_file /etc/hosts
cache_peer [domain.com ip] parent 443 0 originserver ssl
sslcert=/etc/squid/certs/ccp.pem name=AB
acl site dstdomain [www.domain.com]
cache_peer_access AB allow site
never_direct allow site
http_access allow localnet
icp_access allow localnet
However, when I look at access.log now, I'm seeing the following:
TCP_MISS/200 5223 CONNECT [domain.com]:443 - DIRECT/xxx.xxx.xxx.xx -
Whereas with Squid 2 I was seeing:
TCP_MISS/000 307 CONNECT [domain.com]:443 - FIRST_UP_PARENT/AB -
Is there a difference in the way Squid 3 matches the 'site' dstdomain
entry and calls the AB cache_peer address?
Is xxx.xxx.xxx.xx the IPs of the peer? or some other place in public DNS?
FYI: We fixed the handshake bug by opening a socket to the peer then if
the peer was an origin with the right port number, passing the socket to
the DIRECT packet handling code for the SSL handshake. It's possible
that code set "DIRECT" flag on the request for logging. Or that peer
selection is still blocking the origin peer somehow despite the port match.
(The 200 status change is a separate bug fix)
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
