On 19/03/18 03:22, Kiru Pananthan wrote: > Hi Amos > > Thanks for your reply, > > I have restarted the squid service using the command # > /etc/init.d/squid3 restart and also reboot the Linux server too. but > still, the problem exists. > * > * > I have removed the empty and # command line in the document for your > review. can you please check now and provide me with some guidance > Thanks. That one is easier to read. The domains dvr1.* dvr2.* and dashboard.* are accepted into the proxy (by the our_sites ACL) but have nowhere to go - no cache_peer with an allow for them. I guess those are the domains which you are seeing failures for? Some further cleanups you can do: It is now clear that "cache_peer access server_6 deny all" is referring to a non-existent cache_peer. Not an issue, but you can remove that line to simplify things further. The https_port line is missing accel mode flag. - Also, 'vhost' option is deprecated in current Squid Virtual hosting is on by default now. Also, since these are reverse-proxy the *_port lines should really be listening on the same ports the peers are using (eg port 80, 443 and 8443) to avoid weird issues with Host header relayed to peers with unexpected port 3128 or 8443 values (as sent by the clients). I also notice that traffic arriving in the HTTPS port has a default domain of bookings.* assigned but the only peer which is expecting traffic on/from port 8443 is the one for library.* domain. It may be worthwhile removing the defaultsite= option entirely. You still have the muddled peer lines making that config hard to read. By that I mean your "acl sites_server_*" definitions are grouped amidst cache_peer* lines for a peer which that ACL has nothing to do with. Re-ordering those would be useful for future maintenance. Also, the issue with server_5 and server_7 being identical is still there. It is even more clear now that they are truly duplicates in all respects, from cache_peer line to the server_sites_* ACLs. One of them should be removed. Your custom http_access line should be placed at the spot which currently says "http_access allow localhost". In fact, what I recommend is to move the "http_access deny all" line down below the cache_peer config block. Then you can use the sites_server_N ACLs to do an "http_access allow sites_server_*" instead of duplicating domain names in that our_sites ACL. This way you can be sure only the traffic which has a cache_peer to go to is allowed into the proxy at all and the reverse: all traffic which has a peer to go to is allowed. That may be helpful to avoid this situation repeating in future. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
