On 08/06/17 19:51, Alejandro Delgado Moreno wrote:
Hi Amos,
Here is the squid.conf file:
acl localnet src 172.16.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl journals dstdomain "/etc/squid/UPF_LIST.txt"
cache_peer proxy-inst.upf.edu parent 9090 0 no-query no-digest default
cache_peer_access proxy-inst.upf.edu allow journals
always_direct allow journals
There you go. Problem #1: "always_direct allow" prohibits any
cache_peer being used by that request (by requiring that DIRECT be used,
mandatory). Remove that and some of the journal traffic will start going
to the peer.
And this is an extract of the log:
[Thu Jun 8 09:47:30 2017].094 5079 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].094 5079 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].120 5106 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].144 5130 172.18.2.45 TCP_TUNNEL/200 332 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].147 5133 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].374 6567 172.18.2.45 TCP_TUNNEL/200 108115 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
CONNECT and a few other things are normally sent DIRECT because that is
way faster than doing another hop.
To make those prefer going through the peer add this line:
nonhierarchical_direct off
And if that is not enough, you can add "never_direct allow journals" to
forbid DIRECT being used. They will then fail completely if the peer is
not used for any reason.
As you can see, always is going direct, but when going to idp.fecyt.es should be going through the peer, as the file UPF_LIST.txt has:
https://idp.fecyt.es
https://idp.fecyt.es/
https://idp.fecyt.es/*
Your squid.conf said these were being loaded into a dstdomain ACL. But
the above lines are URLs, not domain names.
dstdomain syntax is a domain name with maybe a wildcard to match all
sub-domains. see
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains>
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users