I'm sure about forwarding because I see requests to http://172.22.15.88:3128/squid-internal-periodic/store_digest in parent logs and my parent returns 502 because we do not allow requests to internal IPs. Logs from the parent:
Got request: GET http://172.22.15.88:3128/squid-internal-periodic/store_digest
Not allowing blacklisted IP 172.22.15.88
I do not have "global_internal_static off" in my config and also I'm able to get http://172.22.15.88:3128/squid-internal-periodic/store_digest using curl or telnet (with telnet I do "GET /squid-internal-periodic/store_digest" – note relative URL).
However according to debug logs squid does this request using absolute URL which probably works if target sibling can do direct requests (so it will request itself for digest and return response to original squid). But I do have "never_direct allow all" which probably makes sibling to forward such request to a parent.
If my theory about absolute vs relative URL is correct then I believe original squid should make store_digest request using relative URL (like I can do with telnet) so sibling squid will return response right away w/o asking itself for result.
This is more complete config (only stripped default things like localnet acls / http_access), note that I have 2 parents actually which I select based on header (but all requests w/o header will go to the first parent), and also have:
via off
never_direct allow all
forwarded_for off
# START CONFIG ====================
# Allow HTCP queries from local networks only
htcp_access allow localnet
htcp_access allow localhost
htcp_access deny all
# Other squids
cache_peer 172.22.15.88 sibling 3128 4827 htcp
cache_peer … sibling 3128 4827 htcp
acl siblings src 172.22.15.88/32
acl siblings src …/32
miss_access deny siblings
acl header_a req_header header_a -i true
acl header_b req_header header_b -i true
# name1 parent
cache_peer 127.0.0.1 parent 18070 0 no-query no-digest name=name1
cache_peer_access name1 deny header_a
cache_peer_access name1 deny header_b
# name2 parent
cache_peer 127.0.0.1 parent 18079 0 no-query no-digest name=name2
cache_peer_access name2 allow header_a
cache_peer_access name2 allow header_b
cache_peer_access name2 deny all
cache_mem …
maximum_object_size_in_memory …
memory_replacement_policy …
cache_replacement_policy …
cache_dir aufs … … 16 256
minimum_object_size … bytes # none-zero so we dont cache mistakes
maximum_object_size … KB
client_db off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
# refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# don't cache errors
negative_ttl 0 minutes
# always fetch object from the beginning regardless of Range requests
range_offset_limit none
via off
cache_effective_user squid
cache_effective_group squid
# disable icp
icp_port 0
never_direct allow all
forwarded_for off
# END CONFIG ====================
On Wed, Dec 28, 2016 at 11:15 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 2016-12-29 16:03, Ivan Larionov wrote:
Hello!
I'm trying to setup multiple squids as siblings with a parent which is
not even a squid.
But I'm getting following message in logs:
temporary disabling (Bad Gateway) digest from 172.22.15.88
temporary disabling (Bad Gateway) digest from …
Squid 3.5.23, compiled with "--enable-cache-digests".
For parent I'm setting no-digest, but I'd like to get digests between
siblings. However, it doesn't work and I probably found a reason after
reading debug logs:
This is how squid does store_digest request from a sibling peer:
GET http://172.22.15.88:3128/squid-internal-periodic/store_diges [1]t
HTTP/1.1
Accept: application/cache-digest
Accept: text/html
X-Forwarded-For: unknown
Host: 172.22.15.88:3128 [2]
Cache-Control: max-age=259200
Connection: keep-alive
Response (if I execute this request manually from telnet):
HTTP/1.1 502 Bad Gateway
…
This request has been forwarded to a parent and parent returned 502!
Are you sure about that forwarding?
Its not being generated by the sibling?
Now if I manually do the same request with a relative URL:
GET /squid-internal-periodic/store_digest HTTP/1.1 acl siblings src 172.22.15.88/32 [3]
…
Response:
HTTP/1.1 200 Cache Digest OK
…
My setup:
Multiple squids as siblings, one parent (not a squid).
Peers configuration:
# Other squids
cache_peer 172.22.15.88 sibling 3128 4827 htcp
cache_peer … sibling 3128 4827 htcp
acl siblings src …/32
miss_access deny siblings
# Parent
cache_peer 127.0.0.1 parent 18070 0 no-query no-digest name=NAME
cache_peer_access NAME deny some_acl
Anyone else seen similar issue? Do you have an example of working
configuration with multiple siblings and enabled digests?
The default config usually just works.
Do you have "global_internal_static off" in your squid.conf?
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
With best regards, Ivan Larionov.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
