I understand now better the concept.
Thank you
Markus
"Alex Rousskov" wrote in message
news:3dec529a-b62e-1e95-6cb7-0b68f6bf3c8d@xxxxxxxxxxxxxxxxxxxxxxx...
On 10/8/21 8:02 PM, Markus Moeller wrote:
I try to setup a proxy chain, but don't get the setup right. I have one
squid with 2 parents. One with auth for domainA.com and one w/o auth for
the non local IPs (i.e. Internet).
With the below config I see domainA.com still going to the
unauthenticated parent proxy. Any hint why ?
Several factors can explain that, but I would start by rephrasing your
request routing requirements (and the corresponding configuration rules)
as mutually exclusive (if they are). Currently, you have formulated and
configured the equivalent of
* send green traffic to auth-proxy
* send blue traffic to parent-proxy
This approach leaves important questions like "What about yellow
traffic?" and "What about traffic with green and blue dots?" unanswered.
If you want every request to go to either auth-proxy or parent-proxy,
then say so explicitly:
# green (and only green!) traffic to auth-proxy
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all
# not green (and only not green!) traffic to parent-proxy
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all
What "green" means exactly in your case, I do not know (due to the
questions like those listed above).
If you want every request to go to either auth-proxy, parent-proxy, or
direct, then your rules will become a bit more complex, but all three
routes should still be mutually exclusive:
# green (and only green) traffic to auth-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all
# not green (and only not green) traffic to parent-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all
# traffic that should go direct (and only that traffic)
# should always go direct
always_direct allow meantToGoDirect
always_direct deny all
# traffic that should not go direct (and only that traffic)
# should never go direct
never_direct deny meantToGoDirect
never_direct allow all
Disclaimer: The above configuration snippets are not complete, are not
tested, and can probably be reduced (some might say "simplified") if you
prefer to rely on certain defaults. See also: nonhierarchical_direct.
Once you get the above working for plain HTTP requests that have
resolvable domain names as targets, please note that your listA ACL will
not work for requests that have IP addresses, including some CONNECT
requests that ask your Squid to tunnel HTTPS traffic. Your Squid may not
get any such requests, but if it does, then your "green" and
"meantToGoDirect" ACLs may need to be more complex than "dstdomain -n"
and "dst".
HTH,
Alex.
P.S. I would not call the second proxy "parent-proxy" because both of
your proxies are configured as parent proxies.
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7 # RFC 4193 local private network
range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl localdst dst 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localdst dst 100.64.0.0/10 # RFC 6598 shared address space
(CGN)
acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localdst dst 172.16.0.0/12 # RFC 1918 local private network
(LAN)
acl localdst dst 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localdst dst fc00::/7 # RFC 4193 local private network
range
acl localdst dst fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl listA dstdomain -n domainA.com
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
cache_peer auth-proxy parent 3128 0 no-query default login=NEGOTIATE
cache_peer parent-proxy parent 3128 0 no-query default
cache_peer_access auth-proxy allow listA
cache_peer_access parent-proxy allow !localdst
never_direct deny localdst
never_direct allow all
debug_options 44,10 11,20
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users