Am 29.01.2014 21:51, schrieb Amos Jeffries: > On 2014-01-30 03:48, Amon Ott wrote: >> We have a setup with a single parent proxy that shall be used for all >> requests. "never_direct allow all" ensures that the parent is not to be >> bypassed. Still, every request leads to an extra unnecessary (and >> failing) DNS lookup. We enjoyed several complaints because of unwanted >> DNS traffic inside a firewalled area. As all results are negative, even >> the DNS caching does not really help. >> >> I have traced the problem into peerSelectDnsPaths() in >> src/peer_select.cc. It seems that despite the clear fact that only one >> cache_peer can ever be selected (and has to be selected), the code still >> makes a DNS request for the hostname in the requested URL to find the >> best proxy. It would be greatly appreciated if we could suppress these >> lookups without loosing DNS access for parent proxy lookup by DNS name. >> The lookup does not make any sense to me even with multiple parents, if >> the parent selection is never based on the request target host. >> >> The only workaround we have found so far is to specify the parent proxy >> by IP address and tell Squid with "dns_nameservers localhost" to use a >> not existing DNS server. However, this way we loose the DNS based load >> balancing at the parent proxy, which we cannot influence ourselves. >> >> This looks like a similar problem to the one discussed in >> http://www.squid-cache.org/mail-archive/squid-users/201309/0364.html > > > It does indeed sound like a similar problem. The issue is likely the > same, "bad" configuration requiring DNS lookups to happen. > There are two solutions indicated in my response to that referenced post: > 1) fixing the ACL tests and config options requiring DNS I have not found any, please do have a look yourself. > 2) using /etc/hosts (or a localhost DNS resolver) This is no good option, because the uplink proxy's IP address can change at any time, so we need to use its DNS name. That DNS domain is not under our control, so a DNS server at localhost does not help. In worst case I would have to run a cron job updating the host entry every minute or such - sounds horrible. Since the DNS lookup fails anyway, the solution could be as simple as having a simple switch to forbid URL target host DNS lookups completely. Parent proxy selection could still continue like after failed DNS lookup. > If you are willing to post your config file (without any # comment > lines) I am happy to check it like I did that earlier one. The stripped squid.conf is attached. The outgoing address settings are workarounds for https URL problems without IPv6, which is disabled in our kernel. We have tested with Squid 3.3.11 and 3.4.2. Thanks for your help. Amon Ott -- Dr. Amon Ott m-privacy GmbH Tel: +49 30 24342334 Werner-Voß-Damm 62 Fax: +49 30 99296856 12101 Berlin http://www.m-privacy.de Amtsgericht Charlottenburg, HRB 84946 Geschäftsführer: Dipl.-Kfm. Holger Maczkowsky, Roman Maczkowsky GnuPG-Key-ID: 0x2DD3A649
acl SSL_ports port 443 446 563 631 873 1935 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 446 563 631 873 1935 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl ftponly proto ftp acl httponly proto http https http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl haveident ident REQUIRED http_access allow localhost http_access deny all http_port 127.0.0.1:3128 tcp_outgoing_address 0.0.0.0 hierarchy_stoplist cgi-bin ? cache_dir ufs /var/spool/squid3 512 16 256 access_log stdio:/var/log/squid3/access.log coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 request_timeout 30 seconds shutdown_lifetime 10 seconds udp_outgoing_address 0.0.0.0 forwarded_for delete cachemgr_passwd disable all cache_peer my.uplink.proxy parent 3138 0 default no-digest no-query no-netdb-exchange no-tproxy never_direct allow all nonhierarchical_direct off
