Hi,
Long time Squid user, first time posting so I hope I am doing this correctly.
Having recently upgraded Squid from 3.1 to 3.3 at both organisations I
support, I have noticed that cache_peer selection doesn't seem to obey
cache_peer_access anymore.
Squid Cache: Version 3.3.8
Ubuntu
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
'--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap'
'--disable-translation' '--with-swapdir=/var/spool/squid3'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE
-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security'
Config extract:
# No Authentication
cache_peer 10.60.184.47 parent 8080 0 no-digest no-query
name=minimum_filtering login=user:secret
cache_peer_access minimum_filtering allow trusted_computers
cache_peer_access minimum_filtering allow admin_subnet
cache_peer_access minimum_filtering deny all
# Requires Authentication
cache_peer 10.60.184.47 parent 8080 0 no-query no-digest
name=regular_filtering login=PASS
cache_peer_access regular_filtering deny trusted_computers
cache_peer_access regular_filtering deny admin_subnet
cache_peer_access regular_filtering allow all
Prior any trusted computer or anyone from the admin subnet would not
get a http basic auth logon box and would always pass through the
minimum_filtering peer. Since upgrading users from all over the place
and myself are now getting logon boxes every now and then, it just
seems like it is just load balancing and ignoring the
cache_peer_access controls.
Has anyone else experienced this? Any help at all would be greatly appreciated!
Cheers,
Matt
