Search squid archive

Re: squid 5 and parent peers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I have now tested with the below config and I see my first request works, but the second fails. So I am not sure if it is still a configuration issue or something else. 


....
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines 

#acl localdst dst 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localdst dst 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localdst dst 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localdst dst 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localdst dst 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localdst dst fc00::/7 # RFC 4193 local private network range acl localdst dst fe80::/10 # RFC 4291 link-local (directly plugged) machines 

acl google dstdomain -n .google.com
cache_peer internetproxy.example.com parent 8080 0 no-query no-digest no-netdb-exchange default cache_peer authproxy.example.com parent 8080 0 no-query no-digest no-netdb-exchange default login=NEGOTIATE auth-no-keytab 
# Only google to auth proxy
cache_peer_access authproxy.example.com deny localdst
cache_peer_access authproxy.example.com allow google
cache_peer_access authproxy.example.com deny all
# All other external domains
cache_peer_access internetproxy.example.com deny localdst
cache_peer_access internetproxy.example.com deny google
cache_peer_access internetproxy.example.com allow all
# Local goes direct
always_direct allow localdst
always_direct deny all
never_direct deny !localdst
never_direct allow all

debug_options 44,10 11,20

....

The first test looked fine:

#curl -vvv -x http://localhost:3128 http://www.google.com
* Uses proxy env variable no_proxy == 'localhost, 127.0.0.1'
*   Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128 (#0)

GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive


* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.com/
< Content-Length: 0
< Date: Sat, 09 Oct 2021 12:29:23 GMT
< X-Cache: MISS from clientproxy
< X-Cache-Lookup: MISS from clientproxy:3128
< Connection: keep-alive
<
* Connection #0 to host localhost left intact


Second request failed with a cache error:


#curl -vvv -x http://localhost:3128 http://www.google.com
* Uses proxy env variable no_proxy == 'localhost, 127.0.0.1'
*   Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128 (#0)

GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive


* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< Server: squid/5.1-VCS
< Mime-Version: 1.0
< Date: Sat, 09 Oct 2021 12:30:27 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3573
< X-Squid-Error: ERR_CONNECT_FAIL 110
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from clientproxy
< X-Cache-Lookup: MISS from clientproxy:3128
< Connection: keep-alive
<
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" http://www.w3.org/TR/html4/strict.dtd> 
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2021 The Squid Software Foundation and contributors"> 
<meta http-equiv="Content-Type" CONTENT="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
.....


The cache log says:
2021/10/09 13:29:23.520 kid1| 11,2| client_side.cc(1353) parseHttpRequest: HTTP Client conn10 local=127.0.0.1:3128 remote=127.0.0.1:45192 FD 12 flags=1 2021/10/09 13:29:23.520 kid1| 11,2| client_side.cc(1354) parseHttpRequest: HTTP Client REQUEST: 
---------
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive


----------
2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(309) peerSelect: e:=IV/0x12e63f0*2 http://www.google.com/ 2021/10/09 13:29:23.520 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(612) selectMore: GET www.google.com 2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(617) selectMore: direct = DIRECT_UNKNOWN (always_direct to be checked) 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(373) checkAlwaysDirectDone: DENIED 2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(612) selectMore: GET www.google.com 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(626) selectMore: direct = DIRECT_UNKNOWN (never_direct to be checked) 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(345) checkNeverDirectDone: DENIED 2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(612) selectMore: GET www.google.com 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(577) checkNetdbDirect: MY RTT = 0 msec 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(578) checkNetdbDirect: minimum_direct_rtt = 400 msec 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(585) checkNetdbDirect: MY hops = 0 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(586) checkNetdbDirect: minimum_direct_hops = 4 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(647) selectMore: direct = DIRECT_MAYBE (default) 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(650) selectMore: direct = DIRECT_MAYBE 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(286) peerSelectIcpPing: http://www.google.com/ 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(297) peerSelectIcpPing: counted 0 neighbors 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(833) selectSomeParent: GET www.google.com 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1098) addSelection: adding FIRSTUP_PARENT/authproxy.example.com 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1091) addSelection: skipping ANY_OLD_PARENT/authproxy.example.com; have FIRSTUP_PARENT/authproxy.example.com 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1091) addSelection: skipping DEFAULT_PARENT/authproxy.example.com; have FIRSTUP_PARENT/authproxy.example.com 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1098) addSelection: adding HIER_DIRECT#www.google.com 2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(460) resolveSelected: Find IP destination for: http://www.google.com/' via authproxy.example.com 2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1171) handlePath: PeerSelector1 found conn11 local=0.0.0.0 remote=10.20.1.1:8080 FIRSTUP_PARENT flags=1, destination #1 for http://www.google.com/ 2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1177) handlePath: always_direct = DENIED 2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1178) handlePath: never_direct = DENIED 2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1179) handlePath: timedout = 0 2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.523 kid1| 11,7| HttpRequest.cc(468) clearError: old: ERR_NONE 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(460) resolveSelected: Find IP destination for: http://www.google.com/' via www.google.com 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1171) handlePath: PeerSelector1 found conn12 local=0.0.0.0 remote=172.217.23.100:80 HIER_DIRECT flags=1, destination #2 for http://www.google.com/ 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1177) handlePath: always_direct = DENIED 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1178) handlePath: never_direct = DENIED 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1179) handlePath: timedout = 0 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(479) resolveSelected: PeerSelector1 found all 2 destinations for http://www.google.com/ 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(480) resolveSelected: always_direct = DENIED 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(481) resolveSelected: never_direct = DENIED 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(482) resolveSelected: timedout = 0 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector1 2021/10/09 13:29:23.524 kid1| 44,3| peer_select.cc(241) ~PeerSelector: http://www.google.com/ 2021/10/09 13:29:23.526 kid1| 11,4| HttpRequest.cc(453) prepForPeering: 0x1154cf0 to authproxy.example.com proxy 2021/10/09 13:29:23.526 kid1| 11,3| http.cc(2486) httpStart: GET http://www.google.com/ 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(87) HttpStateData: HttpStateData 0x12e9988 created 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2367) sendRequest: conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, request 0x1154cf0*6, this 0x12e9988. 2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The AsyncCall HttpStateData::httpTimeout constructed, this=0x12e8920 [call65] 2021/10/09 13:29:23.527 kid1| 11,8| http.cc(1656) maybeMakeSpaceAvailable: may read up to 65536 bytes info buf(0/65536) from conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1 2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The AsyncCall HttpStateData::readReply constructed, this=0x12f9c10 [call66] 2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The AsyncCall HttpStateData::wroteLast constructed, this=0x12f9cc0 [call67] 2021/10/09 13:29:23.527 kid1| 11,8| http.cc(2309) decideIfWeDoRanges: decideIfWeDoRanges: range specs: 0, cachable: 1; we_do_ranges: 0 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader: User-Agent: curl/7.75.0 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader: Accept: */* 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader: Proxy-Connection: Keep-Alive 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader: Host: www.google.com 2021/10/09 13:29:23.527 kid1| 11,5| peer_proxy_negotiate_auth.cc(539) peer_proxy_negotiate_auth: Import gss name 2021/10/09 13:29:23.527 kid1| 11,5| peer_proxy_negotiate_auth.cc(546) peer_proxy_negotiate_auth: Initialize gss security context 2021/10/09 13:29:23.531 kid1| 11,5| peer_proxy_negotiate_auth.cc(560) peer_proxy_negotiate_auth: Got token with length 2568 2021/10/09 13:29:23.531 kid1| 11,2| http.cc(2442) sendRequest: HTTP Server conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1 2021/10/09 13:29:23.531 kid1| 11,2| http.cc(2443) sendRequest: HTTP Server REQUEST: 
---------
GET http://www.google.com/ HTTP/1.1
User-Agent: curl/7.75.0
Accept: */*
Host: www.google.com
Proxy-Authorization: Negotiate YIIK....
Cache-Control: max-age=259200
Connection: keep-alive


----------
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(96) ScheduleCall: IoCallback.cc(131) will call HttpStateData::wroteLast(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988) [call67] 2021/10/09 13:29:23.531 kid1| 11,5| AsyncCallQueue.cc(59) fireNext: entering HttpStateData::wroteLast(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988) 2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(41) make: make call HttpStateData::wroteLast [call67] 2021/10/09 13:29:23.531 kid1| 11,5| AsyncJob.cc(122) callStart: HttpStateData status in: [ job8] 2021/10/09 13:29:23.531 kid1| 11,5| http.cc(1667) wroteLast: conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1: size 3611: errflag 0. 2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The AsyncCall HttpStateData::httpTimeout constructed, this=0xe34fa0 [call69] 2021/10/09 13:29:23.531 kid1| 11,5| AsyncJob.cc(153) callEnd: HttpStateData status out: [ job8] 2021/10/09 13:29:23.531 kid1| 11,5| AsyncCallQueue.cc(61) fireNext: leaving HttpStateData::wroteLast(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988) 2021/10/09 13:29:23.615 kid1| 11,5| AsyncCall.cc(96) ScheduleCall: IoCallback.cc(131) will call HttpStateData::readReply(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988) [call66] 2021/10/09 13:29:23.615 kid1| 11,5| AsyncCallQueue.cc(59) fireNext: entering HttpStateData::readReply(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988) 2021/10/09 13:29:23.615 kid1| 11,5| AsyncCall.cc(41) make: make call HttpStateData::readReply [call66] 2021/10/09 13:29:23.615 kid1| 11,5| AsyncJob.cc(122) callStart: HttpStateData status in: [ job8] 2021/10/09 13:29:23.615 kid1| 11,5| http.cc(1215) readReply: conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1 
2021/10/09 13:29:23.615 kid1| ctx: enter level  0: 'http://www.google.com/'
2021/10/09 13:29:23.615 kid1| 11,3| http.cc(666) processReplyHeader: processReplyHeader: key '0200000000000000843D000001000000' 2021/10/09 13:29:23.615 kid1| 11,2| http.cc(720) processReplyHeader: HTTP Server conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1 2021/10/09 13:29:23.615 kid1| 11,2| http.cc(721) processReplyHeader: HTTP Server RESPONSE: 
---------
HTTP/1.1 301 Moved Permanently
Location: https://www.google.com/
Content-Length: 0
Proxy-Connection: Keep-Alive

----------
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(119) setVirginReply: 0x12e9988 setting virgin reply to 0x12fa850 
2021/10/09 13:29:23.616 kid1| ctx: exit level  0
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(973) adaptOrFinalizeReply: adaptationAccessCheckPending=0 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(139) setFinalReply: 0x12e9988 setting final reply to 0x12fa850 
2021/10/09 13:29:23.616 kid1| ctx: enter level  0: 'http://www.google.com/'
2021/10/09 13:29:23.616 kid1| 11,3| http.cc(979) haveParsedReplyHeaders: HTTP CODE: 301 2021/10/09 13:29:23.616 kid1| 11,3| http.cc(1054) haveParsedReplyHeaders: decided: do not cache but share because refresh check returned non-cacheable; HTTP status 301 e:=p2XIV/0x12e63f0*3 
2021/10/09 13:29:23.616 kid1| ctx: exit level  0
2021/10/09 13:29:23.616 kid1| 11,2| Stream.cc(279) sendStartOfMessage: HTTP Client conn10 local=127.0.0.1:3128 remote=127.0.0.1:45192 FD 12 flags=1 2021/10/09 13:29:23.616 kid1| 11,2| Stream.cc(280) sendStartOfMessage: HTTP Client REPLY: 
---------
HTTP/1.1 301 Moved Permanently
Location: https://www.google.com/
Content-Length: 0
Date: Sat, 09 Oct 2021 12:29:23 GMT
X-Cache: MISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive


----------
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1491) processReplyBody: adaptationAccessCheckPending=0 2021/10/09 13:29:23.616 kid1| 11,3| http.cc(1154) persistentConnStatus: conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1 eof=0 2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1174) persistentConnStatus: persistentConnStatus: content_length=0 2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1178) persistentConnStatus: persistentConnStatus: clen=0 2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1537) processReplyBody: processReplyBody: COMPLETE_PERSISTENT_MSG from conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(162) serverComplete: serverComplete 0x12e9988 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(184) serverComplete2: serverComplete2 0x12e9988 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(212) completeForwarding: completing forwarding for 0x12e6e28*2 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(586) cleanAdaptation: cleaning ICAP; ACL: 0 2021/10/09 13:29:23.616 kid1| 11,5| http.cc(134) ~HttpStateData: HttpStateData 0x12e9988 destroyed; 2021/10/09 13:29:23.616 kid1| 11,5| AsyncCallQueue.cc(61) fireNext: leaving HttpStateData::readReply(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988) 2021/10/09 13:29:27.287 kid1| 11,2| client_side.cc(1353) parseHttpRequest: HTTP Client conn15 local=127.0.0.1:3128 remote=127.0.0.1:45219 FD 12 flags=1 2021/10/09 13:29:27.287 kid1| 11,2| client_side.cc(1354) parseHttpRequest: HTTP Client REQUEST: 
---------
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive


----------
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(309) peerSelect: e:=IV/0x12e63f0*2 http://www.google.com/ 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET www.google.com 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(617) selectMore: direct = DIRECT_UNKNOWN (always_direct to be checked) 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(373) checkAlwaysDirectDone: DENIED 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET www.google.com 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(626) selectMore: direct = DIRECT_UNKNOWN (never_direct to be checked) 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(345) checkNeverDirectDone: DENIED 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET www.google.com 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(577) checkNetdbDirect: MY RTT = 1 msec 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(578) checkNetdbDirect: minimum_direct_rtt = 400 msec 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(644) selectMore: direct = DIRECT_YES (checkNetdbDirect) 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(650) selectMore: direct = DIRECT_YES 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(1098) addSelection: adding HIER_DIRECT#www.google.com 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(460) resolveSelected: Find IP destination for: http://www.google.com/' via www.google.com 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1171) handlePath: PeerSelector2 found conn16 local=0.0.0.0 remote=172.217.23.100:80 HIER_DIRECT flags=1, destination #1 for http://www.google.com/ 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1177) handlePath: always_direct = DENIED 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1178) handlePath: never_direct = DENIED 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1179) handlePath: timedout = 0 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 11,7| HttpRequest.cc(468) clearError: old: ERR_NONE 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(479) resolveSelected: PeerSelector2 found all 1 destinations for http://www.google.com/ 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(480) resolveSelected: always_direct = DENIED 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(481) resolveSelected: never_direct = DENIED 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(482) resolveSelected: timedout = 0 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(241) ~PeerSelector: http://www.google.com/ 2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(279) sendStartOfMessage: HTTP Client conn15 local=127.0.0.1:3128 remote=127.0.0.1:45219 FD 12 flags=1 2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(280) sendStartOfMessage: HTTP Client REPLY: 
---------
HTTP/1.1 503 Service Unavailable
Server: squid/5.1-VCS
Mime-Version: 1.0
Date: Sat, 09 Oct 2021 12:30:27 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3573
X-Squid-Error: ERR_CONNECT_FAIL 110
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive


----------






Thank you
Markus





"Markus Moeller"  wrote in message news:sjrrhc$lat$1@xxxxxxxxxxxxx...

I understand now better the concept.

Thank you
Markus


"Alex Rousskov"  wrote in message
news:3dec529a-b62e-1e95-6cb7-0b68f6bf3c8d@xxxxxxxxxxxxxxxxxxxxxxx...

On 10/8/21 8:02 PM, Markus Moeller wrote:


I try to setup a proxy chain, but don't get the setup right. I have one
squid with 2 parents. One with auth for domainA.com and one w/o auth for
the non local IPs (i.e. Internet).



With the below config I see domainA.com still going to the
unauthenticated parent proxy. Any hint why ?


Several factors can explain that, but I would start by rephrasing your
request routing requirements (and the corresponding configuration rules)
as mutually exclusive (if they are). Currently, you have formulated and
configured the equivalent of

* send green traffic to auth-proxy
* send blue traffic to parent-proxy

This approach leaves important questions like "What about yellow
traffic?" and "What about traffic with green and blue dots?" unanswered.

If you want every request to go to either auth-proxy or parent-proxy,
then say so explicitly:

# green (and only green!) traffic to auth-proxy
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all

# not green (and only not green!) traffic to parent-proxy
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all

What "green" means exactly in your case, I do not know (due to the
questions like those listed above).


If you want every request to go to either auth-proxy, parent-proxy, or
direct, then your rules will become a bit more complex, but all three
routes should still be mutually exclusive:

# green (and only green) traffic to auth-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all

# not green (and only not green) traffic to parent-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all

# traffic that should go direct (and only that traffic)
# should always go direct
always_direct allow meantToGoDirect
always_direct deny all

# traffic that should not go direct (and only that traffic)
# should never go direct
never_direct deny meantToGoDirect
never_direct allow all

Disclaimer: The above configuration snippets are not complete, are not
tested, and can probably be reduced (some might say "simplified") if you
prefer to rely on certain defaults. See also: nonhierarchical_direct.

Once you get the above working for plain HTTP requests that have
resolvable domain names as targets, please note that your listA ACL will
not work for requests that have IP addresses, including some CONNECT
requests that ask your Squid to tunnel HTTPS traffic. Your Squid may not
get any such requests, but if it does, then your "green" and
"meantToGoDirect" ACLs may need to be more complex than "dstdomain -n"
and "dst".


HTH,

Alex.
P.S. I would not call the second proxy "parent-proxy" because both of
your proxies are configured as parent proxies.




# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7               # RFC 4193 local private network
range
acl localnet src fe80::/10              # RFC 4291 link-local (directly
plugged) machines

acl localdst dst 10.0.0.0/8             # RFC 1918 local private network
(LAN)
acl localdst dst 100.64.0.0/10          # RFC 6598 shared address space
(CGN)
acl localdst dst 169.254.0.0/16         # RFC 3927 link-local (directly
plugged) machines
acl localdst dst 172.16.0.0/12          # RFC 1918 local private network
(LAN)
acl localdst dst 192.168.0.0/16         # RFC 1918 local private network
(LAN)
acl localdst dst fc00::/7               # RFC 4193 local private network
range
acl localdst dst fe80::/10              # RFC 4291 link-local (directly
plugged) machines

acl listA dstdomain -n  domainA.com

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

cache_peer auth-proxy parent   3128 0  no-query default login=NEGOTIATE
cache_peer parent-proxy parent   3128 0  no-query default
cache_peer_access auth-proxy allow listA
cache_peer_access parent-proxy allow !localdst
never_direct deny localdst
never_direct allow all

debug_options 44,10 11,20


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux