On 10/16/19 7:17 PM, Robert Senger wrote: > I need to encrypt browser->squid connection (on mobile devices). With > squid 3.x, I used stunnel client on the mobile device and stunnel > server on squid's machine. With squid 4.6, I wanted to get rid of > stunnel server and use squid's https_port directive instead, but > https_port + sslbump did not go together. So, I created a loop that > forwarded https_port connections with a cache_peer directive to squid's > own http_port. IIRC, this trick also creates problems for built-in cache_peer checks that may fail because those checks start before Squid starts listening on its own ports. This problem may be specific to SMP setups. YMMV. > That worked, except for caching... The http_port ACLs > never matched in the cache directive, instead, the https_port ACLs did, > but that is not what I want and need. Some coincidence made that > tcp_outgoing_address matched and routing was correct, anyway. AFAICT, bugs notwithstanding, those ACLs should have matched in the "cache" directive context, especially if they actually matched in the tcp_outgoing_address context later. Alex. > Am Mittwoch, den 16.10.2019, 11:38 -0400 schrieb Alex Rousskov: >> On 10/16/19 10:38 AM, Robert wrote: >> >>> after upgrading to 4.6 from 3.x >>> I am struggling with caching objects. The goal is, to have objects >>> requested by proxy-basic clients not to be cached, but objects >>> requested by proxy-standard to be cached normally. >>> >>> Tried this: >>> >>> cache deny proxy-basic >>> cache allow all >>> >>> And this: >>> >>> cache allow proxy-standard >>> cache deny all >> >> Based on your description, you probably want the former or its >> simpler >> version: >> >> cache deny proxy-basic >> >> >>> If I use ANY "cache ___" directive other than a (useless) "cache >>> allow >>> all", caching is completely disabled for all ACLs. >> >> FYI: Squid does not (yet) treat the "all" ACL specially -- Squid does >> not ignore or automatically apply seemingly "useless" rules with it. >> If >> you are getting correct results with "allow all" and incorrect >> results >> with "allow foo", then your foo ACL does not match (in that specific >> context). Why it does not match is a separate question. >> >> >>> What am I doing wrong? >> >> Nothing that warrants discussing here IMO. I suggest trying the >> latest >> v4 release and, if the problem is still there, filing a bug report. >> If >> you can share a compressed ALL,7+ cache.log while reproducing the >> problem with a single transaction, we may be able to triage this >> problem >> faster. Squid wiki has instructions at >> https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction >> >> >> HTH, >> >> Alex. >> >>> I am using ACLs for different handling of clients connecting to >>> different local ports: >>> >>> acl proxy-basic localip 172.16.2.243 >>> acl proxy-standard localip 172.16.3.243 >>> >>> These ACLs are used to determine outgoing address, which are routed >>> to >>> different outgoing interfaces like this: >>> >>> tcp_outgoing_address 172.16.3.244 proxy-basic >>> tcp_outgoing_address 172.16.4.244 proxy-standard >>> >>> This works as desired. >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users