On 2021-07-26 23:05, jens.altrock wrote:
Hi!
I got a little Problem:
We have a proxy server that should route special requests to a parent
proxy and forward the rest tot he standard gateway. I haven't found
any suitable and working configurations, so I'm asking ehre for help.
You appear to not understand some of the directives correctly.
As a result your config currently forces Squid to ignore all cache_peer
lines.
My configuration so far:
_acl alwayspeer dstdomain EXAMPLE.COM:777_
":777" is not part of any domain name.
This ACL can never produce a match result.
To check two different properties (domain and port) you need two
different ACLs.
For example;
acl example dstdomain example.com
acl port777 port 777
cache_peer_access PARENT_PROXY_SRV allow example port777
never_direct allow example port777
_cache deny all_
_cache_peer PARENT_PROXY_SRV parent 8080 7 proxy-only no-query_
_cache_peer_access PARENT_PROXY_SRV allow alwayspeer_
Since "alwayspeer" is always false this line means the default for
traffic going to this peer is "deny all".
With the ACL adjustments from above this would be:
cache_peer_access PARENT_PROXY_SRV allow example port777
_#http_access deny !Safe_ports_
_#http_access deny CONNECT !SSL_ports_
Please restore those rules. They are protecting your proxy against being
abused as a relay for DoS attacks against your network. They have
nothing to do with routing of valid HTTP messages.
_http_access allow localhost manager_
_http_access allow all Safe_ports_
_http_access allow all SSL_ports_
Remove those two lines **urgently**.
_never_direct deny alwayspeer_
_always_direct allow all_
From the actions chosen I see you misunderstand these two directives.
"DIRECT" means using DNS (or equivalent) to locate and connect to origin
server(s) from the URL domain name.
always_direct has precedence. So "allow all" means servers will *always*
be found using URL domain and DNS instead of your config file and
cache_peer lines.
-> you need to remove the always_direct line.
never_direct means the URL domain / DNS lookup mechanism is *never*
used. Only cache_peer have any possibility, and only when
cache_peer_access rules also say allow.
-> the 'action' field needs to be "allow" in order to force cache_peer
to be used.
In both of these directives "deny" is simply a way to stop processing
the directive lines before any more checks happen. eg, a way to put
"except" or "unless" clauses into the logic.
_http_access deny all_
No http_access rules placed below this will be checked. You should
remove this line.
FYI; the whole point of include directive on the next line is so you can
put your custom cache_peer and related rules into a file in there and
not worry about the OS Squid package fiddling with it.
_include /etc/squid/conf.d/*_
_http_access allow localhost_
_http_access deny all_
Problem ist hat direct traffic is working, but he doesn't redirect
EXAMPLE.COM:777 to the correct Proxy server.
In the access.log I only see:
1627297417.299 31535 CLIENT_IP NONE/503 0 CONNECT EXAMPLE.COM:777 -
HIER_NONE/- -
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
