Am Mittwoch, den 16.10.2019, 22:18 -0400 schrieb Alex Rousskov: > On 10/16/19 7:17 PM, Robert Senger wrote: > > > I need to encrypt browser->squid connection (on mobile devices). > > With > > squid 3.x, I used stunnel client on the mobile device and stunnel > > server on squid's machine. With squid 4.6, I wanted to get rid of > > stunnel server and use squid's https_port directive instead, but > > https_port + sslbump did not go together. So, I created a loop that > > forwarded https_port connections with a cache_peer directive to > > squid's > > own http_port. > > IIRC, this trick also creates problems for built-in cache_peer checks > that may fail because those checks start before Squid starts > listening > on its own ports. This problem may be specific to SMP setups. YMMV. > Well, worked for me ;) > > That worked, except for caching... The http_port ACLs > > never matched in the cache directive, instead, the https_port ACLs > > did, > > but that is not what I want and need. Some coincidence made that > > tcp_outgoing_address matched and routing was correct, anyway. > > > AFAICT, bugs notwithstanding, those ACLs should have matched in the > "cache" directive context, especially if they actually matched in the > tcp_outgoing_address context later. > > Alex. I am not sure if they matched at all. As I said, by chance, default rules for tcp_outgoing_address and policy based routing might have produced right results (at least at where I looked at, there are more than 2 client ACLs), but based on wrong decisions. Can't check this right now. Anyway, I am thinking about running multiple squid instances with simple setups and chain them rather than just one with a very complex setup, maybe that would make things easier. It also would make it possible to query different nameservers (or bind9 views) for different ACLs, which is not possible within one single instance (udp_outgoing_address does not take ACLs). Thanks for the help, Robert > > > Am Mittwoch, den 16.10.2019, 11:38 -0400 schrieb Alex Rousskov: > > > On 10/16/19 10:38 AM, Robert wrote: > > > > > > > after upgrading to 4.6 from 3.x > > > > I am struggling with caching objects. The goal is, to have > > > > objects > > > > requested by proxy-basic clients not to be cached, but objects > > > > requested by proxy-standard to be cached normally. > > > > > > > > Tried this: > > > > > > > > cache deny proxy-basic > > > > cache allow all > > > > > > > > And this: > > > > > > > > cache allow proxy-standard > > > > cache deny all > > > > > > Based on your description, you probably want the former or its > > > simpler > > > version: > > > > > > cache deny proxy-basic > > > > > > > > > > If I use ANY "cache ___" directive other than a (useless) > > > > "cache > > > > allow > > > > all", caching is completely disabled for all ACLs. > > > > > > FYI: Squid does not (yet) treat the "all" ACL specially -- Squid > > > does > > > not ignore or automatically apply seemingly "useless" rules with > > > it. > > > If > > > you are getting correct results with "allow all" and incorrect > > > results > > > with "allow foo", then your foo ACL does not match (in that > > > specific > > > context). Why it does not match is a separate question. > > > > > > > > > > What am I doing wrong? > > > > > > Nothing that warrants discussing here IMO. I suggest trying the > > > latest > > > v4 release and, if the problem is still there, filing a bug > > > report. > > > If > > > you can share a compressed ALL,7+ cache.log while reproducing the > > > problem with a single transaction, we may be able to triage this > > > problem > > > faster. Squid wiki has instructions at > > > https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction > > > > > > > > > HTH, > > > > > > Alex. > > > > > > > I am using ACLs for different handling of clients connecting to > > > > different local ports: > > > > > > > > acl proxy-basic localip 172.16.2.243 > > > > acl proxy-standard localip 172.16.3.243 > > > > > > > > These ACLs are used to determine outgoing address, which are > > > > routed > > > > to > > > > different outgoing interfaces like this: > > > > > > > > tcp_outgoing_address 172.16.3.244 proxy-basic > > > > tcp_outgoing_address 172.16.4.244 proxy-standard > > > > > > > > This works as desired. > > > > > > _______________________________________________ > > > squid-users mailing list > > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- Robert Senger _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users