Hi,
I have now tested with the below config and I see my first request works,
but the second fails. So I am not sure if it is still a configuration issue
or something else.
....
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7 # RFC 4193 local private network
range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
#acl localdst dst 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localdst dst 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localdst dst 100.64.0.0/10 # RFC 6598 shared address space
(CGN)
acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localdst dst 172.16.0.0/12 # RFC 1918 local private network
(LAN)
acl localdst dst 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localdst dst fc00::/7 # RFC 4193 local private network
range
acl localdst dst fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl google dstdomain -n .google.com
cache_peer internetproxy.example.com parent 8080 0 no-query no-digest
no-netdb-exchange default
cache_peer authproxy.example.com parent 8080 0 no-query no-digest
no-netdb-exchange default login=NEGOTIATE auth-no-keytab
# Only google to auth proxy
cache_peer_access authproxy.example.com deny localdst
cache_peer_access authproxy.example.com allow google
cache_peer_access authproxy.example.com deny all
# All other external domains
cache_peer_access internetproxy.example.com deny localdst
cache_peer_access internetproxy.example.com deny google
cache_peer_access internetproxy.example.com allow all
# Local goes direct
always_direct allow localdst
always_direct deny all
never_direct deny !localdst
never_direct allow all
debug_options 44,10 11,20
....
The first test looked fine:
#curl -vvv -x http://localhost:3128 http://www.google.com
* Uses proxy env variable no_proxy == 'localhost, 127.0.0.1'
* Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128 (#0)
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.com/
< Content-Length: 0
< Date: Sat, 09 Oct 2021 12:29:23 GMT
< X-Cache: MISS from clientproxy
< X-Cache-Lookup: MISS from clientproxy:3128
< Connection: keep-alive
<
* Connection #0 to host localhost left intact
Second request failed with a cache error:
#curl -vvv -x http://localhost:3128 http://www.google.com
* Uses proxy env variable no_proxy == 'localhost, 127.0.0.1'
* Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128 (#0)
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive
* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< Server: squid/5.1-VCS
< Mime-Version: 1.0
< Date: Sat, 09 Oct 2021 12:30:27 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3573
< X-Squid-Error: ERR_CONNECT_FAIL 110
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from clientproxy
< X-Cache-Lookup: MISS from clientproxy:3128
< Connection: keep-alive
<
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
http://www.w3.org/TR/html4/strict.dtd>
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2021 The Squid Software
Foundation and contributors">
<meta http-equiv="Content-Type" CONTENT="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
.....
The cache log says:
2021/10/09 13:29:23.520 kid1| 11,2| client_side.cc(1353) parseHttpRequest:
HTTP Client conn10 local=127.0.0.1:3128 remote=127.0.0.1:45192 FD 12 flags=1
2021/10/09 13:29:23.520 kid1| 11,2| client_side.cc(1354) parseHttpRequest:
HTTP Client REQUEST:
---------
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive
----------
2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(309) peerSelect:
e:=IV/0x12e63f0*2 http://www.google.com/
2021/10/09 13:29:23.520 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(612) selectMore: GET
www.google.com
2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(617) selectMore: direct =
DIRECT_UNKNOWN (always_direct to be checked)
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(373)
checkAlwaysDirectDone: DENIED
2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(612) selectMore: GET
www.google.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(626) selectMore: direct =
DIRECT_UNKNOWN (never_direct to be checked)
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(345)
checkNeverDirectDone: DENIED
2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(612) selectMore: GET
www.google.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(577) checkNetdbDirect: MY
RTT = 0 msec
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(578) checkNetdbDirect:
minimum_direct_rtt = 400 msec
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(585) checkNetdbDirect: MY
hops = 0
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(586) checkNetdbDirect:
minimum_direct_hops = 4
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(647) selectMore: direct =
DIRECT_MAYBE (default)
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(650) selectMore: direct =
DIRECT_MAYBE
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(286) peerSelectIcpPing:
http://www.google.com/
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(297) peerSelectIcpPing:
counted 0 neighbors
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(833) selectSomeParent:
GET www.google.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1098) addSelection:
adding FIRSTUP_PARENT/authproxy.example.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1091) addSelection:
skipping ANY_OLD_PARENT/authproxy.example.com; have
FIRSTUP_PARENT/authproxy.example.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1091) addSelection:
skipping DEFAULT_PARENT/authproxy.example.com; have
FIRSTUP_PARENT/authproxy.example.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1098) addSelection:
adding HIER_DIRECT#www.google.com
2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(460) resolveSelected:
Find IP destination for: http://www.google.com/' via authproxy.example.com
2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1171) handlePath:
PeerSelector1 found conn11 local=0.0.0.0 remote=10.20.1.1:8080
FIRSTUP_PARENT flags=1, destination #1 for http://www.google.com/
2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1177) handlePath:
always_direct = DENIED
2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1178) handlePath:
never_direct = DENIED
2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1179) handlePath:
timedout = 0
2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.523 kid1| 11,7| HttpRequest.cc(468) clearError: old:
ERR_NONE
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(460) resolveSelected:
Find IP destination for: http://www.google.com/' via www.google.com
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1171) handlePath:
PeerSelector1 found conn12 local=0.0.0.0 remote=172.217.23.100:80
HIER_DIRECT flags=1, destination #2 for http://www.google.com/
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1177) handlePath:
always_direct = DENIED
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1178) handlePath:
never_direct = DENIED
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1179) handlePath:
timedout = 0
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(479) resolveSelected:
PeerSelector1 found all 2 destinations for http://www.google.com/
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(480) resolveSelected:
always_direct = DENIED
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(481) resolveSelected:
never_direct = DENIED
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(482) resolveSelected:
timedout = 0
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,3| peer_select.cc(241) ~PeerSelector:
http://www.google.com/
2021/10/09 13:29:23.526 kid1| 11,4| HttpRequest.cc(453) prepForPeering:
0x1154cf0 to authproxy.example.com proxy
2021/10/09 13:29:23.526 kid1| 11,3| http.cc(2486) httpStart: GET
http://www.google.com/
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(87) HttpStateData: HttpStateData
0x12e9988 created
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2367) sendRequest: conn13
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1,
request 0x1154cf0*6, this 0x12e9988.
2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The
AsyncCall HttpStateData::httpTimeout constructed, this=0x12e8920 [call65]
2021/10/09 13:29:23.527 kid1| 11,8| http.cc(1656) maybeMakeSpaceAvailable:
may read up to 65536 bytes info buf(0/65536) from conn13
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1
2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The
AsyncCall HttpStateData::readReply constructed, this=0x12f9c10 [call66]
2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The
AsyncCall HttpStateData::wroteLast constructed, this=0x12f9cc0 [call67]
2021/10/09 13:29:23.527 kid1| 11,8| http.cc(2309) decideIfWeDoRanges:
decideIfWeDoRanges: range specs: 0, cachable: 1; we_do_ranges: 0
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113)
copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader:
User-Agent: curl/7.75.0
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113)
copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader:
Accept: */*
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113)
copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader:
Proxy-Connection: Keep-Alive
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113)
copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader:
Host: www.google.com
2021/10/09 13:29:23.527 kid1| 11,5| peer_proxy_negotiate_auth.cc(539)
peer_proxy_negotiate_auth: Import gss name
2021/10/09 13:29:23.527 kid1| 11,5| peer_proxy_negotiate_auth.cc(546)
peer_proxy_negotiate_auth: Initialize gss security context
2021/10/09 13:29:23.531 kid1| 11,5| peer_proxy_negotiate_auth.cc(560)
peer_proxy_negotiate_auth: Got token with length 2568
2021/10/09 13:29:23.531 kid1| 11,2| http.cc(2442) sendRequest: HTTP Server
conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13
flags=1
2021/10/09 13:29:23.531 kid1| 11,2| http.cc(2443) sendRequest: HTTP Server
REQUEST:
---------
GET http://www.google.com/ HTTP/1.1
User-Agent: curl/7.75.0
Accept: */*
Host: www.google.com
Proxy-Authorization: Negotiate YIIK....
Cache-Control: max-age=259200
Connection: keep-alive
----------
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(96) ScheduleCall:
IoCallback.cc(131) will call HttpStateData::wroteLast(conn13
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1,
data=0x12e9988) [call67]
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCallQueue.cc(59) fireNext: entering
HttpStateData::wroteLast(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080
FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988)
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(41) make: make call
HttpStateData::wroteLast [call67]
2021/10/09 13:29:23.531 kid1| 11,5| AsyncJob.cc(122) callStart:
HttpStateData status in: [ job8]
2021/10/09 13:29:23.531 kid1| 11,5| http.cc(1667) wroteLast: conn13
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1:
size 3611: errflag 0.
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The
AsyncCall HttpStateData::httpTimeout constructed, this=0xe34fa0 [call69]
2021/10/09 13:29:23.531 kid1| 11,5| AsyncJob.cc(153) callEnd: HttpStateData
status out: [ job8]
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCallQueue.cc(61) fireNext: leaving
HttpStateData::wroteLast(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080
FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988)
2021/10/09 13:29:23.615 kid1| 11,5| AsyncCall.cc(96) ScheduleCall:
IoCallback.cc(131) will call HttpStateData::readReply(conn13
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1,
data=0x12e9988) [call66]
2021/10/09 13:29:23.615 kid1| 11,5| AsyncCallQueue.cc(59) fireNext: entering
HttpStateData::readReply(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080
FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988)
2021/10/09 13:29:23.615 kid1| 11,5| AsyncCall.cc(41) make: make call
HttpStateData::readReply [call66]
2021/10/09 13:29:23.615 kid1| 11,5| AsyncJob.cc(122) callStart:
HttpStateData status in: [ job8]
2021/10/09 13:29:23.615 kid1| 11,5| http.cc(1215) readReply: conn13
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1
2021/10/09 13:29:23.615 kid1| ctx: enter level 0: 'http://www.google.com/'
2021/10/09 13:29:23.615 kid1| 11,3| http.cc(666) processReplyHeader:
processReplyHeader: key '0200000000000000843D000001000000'
2021/10/09 13:29:23.615 kid1| 11,2| http.cc(720) processReplyHeader: HTTP
Server conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD
13 flags=1
2021/10/09 13:29:23.615 kid1| 11,2| http.cc(721) processReplyHeader: HTTP
Server RESPONSE:
---------
HTTP/1.1 301 Moved Permanently
Location: https://www.google.com/
Content-Length: 0
Proxy-Connection: Keep-Alive
----------
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(119) setVirginReply: 0x12e9988
setting virgin reply to 0x12fa850
2021/10/09 13:29:23.616 kid1| ctx: exit level 0
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(973) adaptOrFinalizeReply:
adaptationAccessCheckPending=0
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(139) setFinalReply: 0x12e9988
setting final reply to 0x12fa850
2021/10/09 13:29:23.616 kid1| ctx: enter level 0: 'http://www.google.com/'
2021/10/09 13:29:23.616 kid1| 11,3| http.cc(979) haveParsedReplyHeaders:
HTTP CODE: 301
2021/10/09 13:29:23.616 kid1| 11,3| http.cc(1054) haveParsedReplyHeaders:
decided: do not cache but share because refresh check returned
non-cacheable; HTTP status 301 e:=p2XIV/0x12e63f0*3
2021/10/09 13:29:23.616 kid1| ctx: exit level 0
2021/10/09 13:29:23.616 kid1| 11,2| Stream.cc(279) sendStartOfMessage: HTTP
Client conn10 local=127.0.0.1:3128 remote=127.0.0.1:45192 FD 12 flags=1
2021/10/09 13:29:23.616 kid1| 11,2| Stream.cc(280) sendStartOfMessage: HTTP
Client REPLY:
---------
HTTP/1.1 301 Moved Permanently
Location: https://www.google.com/
Content-Length: 0
Date: Sat, 09 Oct 2021 12:29:23 GMT
X-Cache: MISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive
----------
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1491) processReplyBody:
adaptationAccessCheckPending=0
2021/10/09 13:29:23.616 kid1| 11,3| http.cc(1154) persistentConnStatus:
conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13
flags=1 eof=0
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1174) persistentConnStatus:
persistentConnStatus: content_length=0
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1178) persistentConnStatus:
persistentConnStatus: clen=0
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1537) processReplyBody:
processReplyBody: COMPLETE_PERSISTENT_MSG from conn13 local=10.10.1.1:36928
remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(162) serverComplete:
serverComplete 0x12e9988
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(184) serverComplete2:
serverComplete2 0x12e9988
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(212) completeForwarding:
completing forwarding for 0x12e6e28*2
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(586) cleanAdaptation: cleaning
ICAP; ACL: 0
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(134) ~HttpStateData:
HttpStateData 0x12e9988 destroyed;
2021/10/09 13:29:23.616 kid1| 11,5| AsyncCallQueue.cc(61) fireNext: leaving
HttpStateData::readReply(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080
FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988)
2021/10/09 13:29:27.287 kid1| 11,2| client_side.cc(1353) parseHttpRequest:
HTTP Client conn15 local=127.0.0.1:3128 remote=127.0.0.1:45219 FD 12 flags=1
2021/10/09 13:29:27.287 kid1| 11,2| client_side.cc(1354) parseHttpRequest:
HTTP Client REQUEST:
---------
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive
----------
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(309) peerSelect:
e:=IV/0x12e63f0*2 http://www.google.com/
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET
www.google.com
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(617) selectMore: direct =
DIRECT_UNKNOWN (always_direct to be checked)
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(373)
checkAlwaysDirectDone: DENIED
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET
www.google.com
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(626) selectMore: direct =
DIRECT_UNKNOWN (never_direct to be checked)
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(345)
checkNeverDirectDone: DENIED
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET
www.google.com
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(577) checkNetdbDirect: MY
RTT = 1 msec
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(578) checkNetdbDirect:
minimum_direct_rtt = 400 msec
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(644) selectMore: direct =
DIRECT_YES (checkNetdbDirect)
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(650) selectMore: direct =
DIRECT_YES
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(1098) addSelection:
adding HIER_DIRECT#www.google.com
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(460) resolveSelected:
Find IP destination for: http://www.google.com/' via www.google.com
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1171) handlePath:
PeerSelector2 found conn16 local=0.0.0.0 remote=172.217.23.100:80
HIER_DIRECT flags=1, destination #1 for http://www.google.com/
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1177) handlePath:
always_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1178) handlePath:
never_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1179) handlePath:
timedout = 0
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 11,7| HttpRequest.cc(468) clearError: old:
ERR_NONE
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(479) resolveSelected:
PeerSelector2 found all 1 destinations for http://www.google.com/
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(480) resolveSelected:
always_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(481) resolveSelected:
never_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(482) resolveSelected:
timedout = 0
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149)
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(241) ~PeerSelector:
http://www.google.com/
2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(279) sendStartOfMessage: HTTP
Client conn15 local=127.0.0.1:3128 remote=127.0.0.1:45219 FD 12 flags=1
2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(280) sendStartOfMessage: HTTP
Client REPLY:
---------
HTTP/1.1 503 Service Unavailable
Server: squid/5.1-VCS
Mime-Version: 1.0
Date: Sat, 09 Oct 2021 12:30:27 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3573
X-Squid-Error: ERR_CONNECT_FAIL 110
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive
----------
Thank you
Markus
"Markus Moeller" wrote in message news:sjrrhc$lat$1@xxxxxxxxxxxxx...
I understand now better the concept.
Thank you
Markus
"Alex Rousskov" wrote in message
news:3dec529a-b62e-1e95-6cb7-0b68f6bf3c8d@xxxxxxxxxxxxxxxxxxxxxxx...
On 10/8/21 8:02 PM, Markus Moeller wrote:
I try to setup a proxy chain, but don't get the setup right. I have one
squid with 2 parents. One with auth for domainA.com and one w/o auth for
the non local IPs (i.e. Internet).
With the below config I see domainA.com still going to the
unauthenticated parent proxy. Any hint why ?
Several factors can explain that, but I would start by rephrasing your
request routing requirements (and the corresponding configuration rules)
as mutually exclusive (if they are). Currently, you have formulated and
configured the equivalent of
* send green traffic to auth-proxy
* send blue traffic to parent-proxy
This approach leaves important questions like "What about yellow
traffic?" and "What about traffic with green and blue dots?" unanswered.
If you want every request to go to either auth-proxy or parent-proxy,
then say so explicitly:
# green (and only green!) traffic to auth-proxy
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all
# not green (and only not green!) traffic to parent-proxy
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all
What "green" means exactly in your case, I do not know (due to the
questions like those listed above).
If you want every request to go to either auth-proxy, parent-proxy, or
direct, then your rules will become a bit more complex, but all three
routes should still be mutually exclusive:
# green (and only green) traffic to auth-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all
# not green (and only not green) traffic to parent-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all
# traffic that should go direct (and only that traffic)
# should always go direct
always_direct allow meantToGoDirect
always_direct deny all
# traffic that should not go direct (and only that traffic)
# should never go direct
never_direct deny meantToGoDirect
never_direct allow all
Disclaimer: The above configuration snippets are not complete, are not
tested, and can probably be reduced (some might say "simplified") if you
prefer to rely on certain defaults. See also: nonhierarchical_direct.
Once you get the above working for plain HTTP requests that have
resolvable domain names as targets, please note that your listA ACL will
not work for requests that have IP addresses, including some CONNECT
requests that ask your Squid to tunnel HTTPS traffic. Your Squid may not
get any such requests, but if it does, then your "green" and
"meantToGoDirect" ACLs may need to be more complex than "dstdomain -n"
and "dst".
HTH,
Alex.
P.S. I would not call the second proxy "parent-proxy" because both of
your proxies are configured as parent proxies.
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7 # RFC 4193 local private network
range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl localdst dst 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localdst dst 100.64.0.0/10 # RFC 6598 shared address space
(CGN)
acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localdst dst 172.16.0.0/12 # RFC 1918 local private network
(LAN)
acl localdst dst 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localdst dst fc00::/7 # RFC 4193 local private network
range
acl localdst dst fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl listA dstdomain -n domainA.com
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
cache_peer auth-proxy parent 3128 0 no-query default login=NEGOTIATE
cache_peer parent-proxy parent 3128 0 no-query default
cache_peer_access auth-proxy allow listA
cache_peer_access parent-proxy allow !localdst
never_direct deny localdst
never_direct allow all
debug_options 44,10 11,20
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users