Search squid archive

Re: Cache peer help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/06/17 19:51, Alejandro Delgado Moreno wrote:

Hi Amos,

Here is the squid.conf file:

acl localnet src 172.16.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


acl journals dstdomain "/etc/squid/UPF_LIST.txt"

cache_peer proxy-inst.upf.edu parent 9090 0 no-query no-digest default

cache_peer_access proxy-inst.upf.edu allow journals
always_direct allow journals
There you go. Problem #1: "always_direct allow" prohibits any cache_peer being used by that request (by requiring that DIRECT be used, mandatory). Remove that and some of the journal traffic will start going to the peer. 


And this is an extract of the log:

[Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].120   5106 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].144   5130 172.18.2.45 TCP_TUNNEL/200 332 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].147   5133 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].374   6567 172.18.2.45 TCP_TUNNEL/200 108115 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
CONNECT and a few other things are normally sent DIRECT because that is way faster than doing another hop. 

To make those prefer going through the peer add this line:

  nonhierarchical_direct off
And if that is not enough, you can add "never_direct allow journals" to forbid DIRECT being used. They will then fail completely if the peer is not used for any reason. 



As you can see, always is going direct, but when going to idp.fecyt.es should be going through the peer, as the file UPF_LIST.txt has:

https://idp.fecyt.es
https://idp.fecyt.es/
https://idp.fecyt.es/*
Your squid.conf said these were being loaded into a dstdomain ACL. But the above lines are URLs, not domain names.
dstdomain syntax is a domain name with maybe a wildcard to match all sub-domains. see <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains> 


HTH
Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux