Search squid archive

Re: prevent squid from "temporarily disabling (...) digest" ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27/09/11 15:45, Dale Mahalko wrote:
Environment:
pfSense 1.2.3-Release
Squid 2.7.9_4.1

I am using squid as a local access-logging front-end, to another
remote proxy which acts as a content filter on which I don't have
reporting/logging access.

If I specify the remote proxy and port in the web browser, I just get
a blank "can't connect" error for HTTPS addresses. It is blocking the
site, as expected.

Well, HTTPS in proxy formatted HTTP requests is called "CONNECT". The thing to be aware of is that this will *only* show up if the browser is configured to use a proxy (ie your Squid).

Second thing is that CONNECT requests are normally not sent to peer proxies. You have to set "nonhierarchical_direct off" to make CONNECT and POST go to peers.


But when squid is used, the access.log contains a long string of all
"TCP_DENIED" or "TCP_MISS" messages, but the blocked page loads
anyway.

Checking the cache.log there is a message "Temporarily disabling (Not
Found) digest from proxy.foo.com:8888"

This is unrelated. Simply means the peer is not willing or able to share a cache digest with your Squid. Add "no-digest" to its cache_peer line to silence these.


it appears squid is quietly saying "fine, I will go direct and
retrieve the data anyway".

Exactly.


The directive never_direct doesn't do anything for this:
never_direct deny all

You misunderstand never_direct. (its a bit of a twisted double-negative directive).

 "allow" is the only value with active meaning on never_direct.
"deny" is simply a way to avoid/bypass some following "allow" lines from having affect. It equates to "maybe go direct" in never_direct.


I need squid to just simply give up and stop trying to access the
blocked site, if the upstream parent won't provide the content.

I think you need:

  # send CONNECT (https://) and POST through the peer.
  nonhierarchical_direct off

  # prevent Squid going direct if the peer denies.
  never_direct allow all


.. and make sure the cache_peer line has type "parent" for the peer.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.15
  Beta testers wanted for 3.2.0.12


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux