On 10/04/2013 11:59 p.m., folkert wrote:
Hi,
I'm trying to get the following to work:
- all requests must go to the redirect_program.z after the request went
through the redirect program:
- all requests must be forwarder to proxy A
- UNLESS they are to 172.19.0.0/16 or listed in
/usr/local/etc/squid3-directurls.txt
- if they are in /usr/local/etc/squid3-directurls.txt they must be
forwarded to proxy B
- if they are to 172.19.0.0/16 they must go to directly to the
destination (172.19.0.1:8008 mostly)
I tried the following:
acl ir_ah dst 172.19.0.0/16
redirector_access deny ir_ah
BUT your policy statement said ... "all requests must go to the
redirect_program."
redirect_program /usr/local/bin/ir
always_direct allow ir_ah
always_direct deny all
"if they are to 172.19.0.0/16 they must go to directly to the destination "
Okay. That is *kind* of working. If any one of teh URL domains IP
addresses is in the 172.19.0.0/16 range the request will go direct even
if the IP picked is not in that range. So be Careful.
cache_peer A parent 8123 0 default
cache_peer B parent 8080 0
acl allowed_servers dstdomain "/usr/local/etc/squid3-directurls.txt"
cache_peer_access A deny allowed_servers
cache_peer_access A deny ir_ah
cache_peer_access A allow all
"all requests must be forwarder to proxy A - UNLESS they are to
172.19.0.0/16 or listed in /usr/local/etc/squid3-directurls.txt "
OKAY. That is configured.
cache_peer_access B deny ir_ah
cache_peer_access B allow all
"if they are in /usr/local/etc/squid3-directurls.txt they must be
forwarded to proxy B "
BROKEN. All the config says is any request which does not match ir_ah
will be directed to proxy B.
You need that to be:
cache_peer_access B allow allowed_servers
cache_peer_access B deny all
What works:
- all request initially go to the redirect_program, it then allows them
to be processed
- BUT: after the redirect_program acks them, it sends the user back to
the redirect_program!
What I see is that Squid sends requests to 172.19.0.1 via its redirector
while it should go straight through to 172.19.0.1.
How can I fix this?
Um, this matches your policy statements about what you wanted to happen.
But does not match what the config says should be happening.
In order for this to happen the "dst" ACL when applied to the client
original URL domain needs to be producing something other than a
172.19.0.0/16 IP address.
Note that this ACL does not match against the output of the redirector.
I'm not sure what needs to be done to make it more predictable. Avoiding
"dst" type when possible is a good idea.
The other thing to look at is *how* the redirector is "ACKing" the URL.
A proper redirect is just a referral to another location, the client
will followup with another request. This could be what you are seeing.
Otherwise the only way I can think of you could get double helper
lookups like this is forwarding loops somewhere causing the transaction
to re-enter Squid.
Amos
