On 10/9/21 9:06 AM, Markus Moeller wrote: > Hi, > > I have now tested with the below config and I see my first request > works, but the second fails. So I am not sure if it is still a > configuration issue or something else. > always_direct allow localdst > never_direct deny !localdst I (still) do not know what you want to achive exactly (see my previous response for more specific questions), but the above combination looks suspicious to me. I would expect traffic that should always go direct to be denied in the never_direct rule instead. Did you mean for that "!" to be there? I did not check the debugging trace carefully, but it may be the reason why Squid cannot forward some requests -- it is getting an impossible-to-satisfy or self-contradictory directions. BTW, thank you for posting the debugging trace! Please keep doing that if you need further help. Alex. > .... > # Example rule allowing access from your local networks. > # Adapt to list your (internal) IP networks from where browsing > # should be allowed > #acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) > acl localnet src 10.0.0.0/8 # RFC 1918 local private network > (LAN) > acl localnet src 100.64.0.0/10 # RFC 6598 shared address space > (CGN) > acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly > plugged) machines > acl localnet src 172.16.0.0/12 # RFC 1918 local private network > (LAN) > acl localnet src 192.168.0.0/16 # RFC 1918 local private network > (LAN) > acl localnet src fc00::/7 # RFC 4193 local private network > range > acl localnet src fe80::/10 # RFC 4291 link-local (directly > plugged) machines > > #acl localdst dst 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) > acl localdst dst 10.0.0.0/8 # RFC 1918 local private network > (LAN) > acl localdst dst 100.64.0.0/10 # RFC 6598 shared address space > (CGN) > acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly > plugged) machines > acl localdst dst 172.16.0.0/12 # RFC 1918 local private network > (LAN) > acl localdst dst 192.168.0.0/16 # RFC 1918 local private network > (LAN) > acl localdst dst fc00::/7 # RFC 4193 local private network > range > acl localdst dst fe80::/10 # RFC 4291 link-local (directly > plugged) machines > > acl google dstdomain -n .google.com > > cache_peer internetproxy.example.com parent 8080 0 no-query no-digest > no-netdb-exchange default > cache_peer authproxy.example.com parent 8080 0 no-query no-digest > no-netdb-exchange default login=NEGOTIATE auth-no-keytab > # Only google to auth proxy > cache_peer_access authproxy.example.com deny localdst > cache_peer_access authproxy.example.com allow google > cache_peer_access authproxy.example.com deny all > # All other external domains > cache_peer_access internetproxy.example.com deny localdst > cache_peer_access internetproxy.example.com deny google > cache_peer_access internetproxy.example.com allow all > # Local goes direct > always_direct allow localdst > always_direct deny all > never_direct deny !localdst > never_direct allow all > > debug_options 44,10 11,20 > > .... > > The first test looked fine: > > #curl -vvv -x http://localhost:3128 http://www.google.com > * Uses proxy env variable no_proxy == 'localhost, 127.0.0.1' > * Trying 127.0.0.1:3128... > * Connected to localhost (127.0.0.1) port 3128 (#0) >> GET http://www.google.com/ HTTP/1.1 >> Host: www.google.com >> User-Agent: curl/7.75.0 >> Accept: */* >> Proxy-Connection: Keep-Alive >> > * Mark bundle as not supporting multiuse > < HTTP/1.1 301 Moved Permanently > < Location: https://www.google.com/ > < Content-Length: 0 > < Date: Sat, 09 Oct 2021 12:29:23 GMT > < X-Cache: MISS from clientproxy > < X-Cache-Lookup: MISS from clientproxy:3128 > < Connection: keep-alive > < > * Connection #0 to host localhost left intact > > > Second request failed with a cache error: > > > #curl -vvv -x http://localhost:3128 http://www.google.com > * Uses proxy env variable no_proxy == 'localhost, 127.0.0.1' > * Trying 127.0.0.1:3128... > * Connected to localhost (127.0.0.1) port 3128 (#0) >> GET http://www.google.com/ HTTP/1.1 >> Host: www.google.com >> User-Agent: curl/7.75.0 >> Accept: */* >> Proxy-Connection: Keep-Alive >> > * Mark bundle as not supporting multiuse > < HTTP/1.1 503 Service Unavailable > < Server: squid/5.1-VCS > < Mime-Version: 1.0 > < Date: Sat, 09 Oct 2021 12:30:27 GMT > < Content-Type: text/html;charset=utf-8 > < Content-Length: 3573 > < X-Squid-Error: ERR_CONNECT_FAIL 110 > < Vary: Accept-Language > < Content-Language: en > < X-Cache: MISS from clientproxy > < X-Cache-Lookup: MISS from clientproxy:3128 > < Connection: keep-alive > < > <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" > http://www.w3.org/TR/html4/strict.dtd> > <html><head> > <meta type="copyright" content="Copyright (C) 1996-2021 The Squid > Software Foundation and contributors"> > <meta http-equiv="Content-Type" CONTENT="text/html; charset=utf-8"> > <title>ERROR: The requested URL could not be retrieved</title> > ..... > > > The cache log says: > > 2021/10/09 13:29:23.520 kid1| 11,2| client_side.cc(1353) > parseHttpRequest: HTTP Client conn10 local=127.0.0.1:3128 > remote=127.0.0.1:45192 FD 12 flags=1 > 2021/10/09 13:29:23.520 kid1| 11,2| client_side.cc(1354) > parseHttpRequest: HTTP Client REQUEST: > --------- > GET http://www.google.com/ HTTP/1.1 > Host: www.google.com > User-Agent: curl/7.75.0 > Accept: */* > Proxy-Connection: Keep-Alive > > > ---------- > 2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(309) peerSelect: > e:=IV/0x12e63f0*2 http://www.google.com/ > 2021/10/09 13:29:23.520 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(612) selectMore: GET > www.google.com > 2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(617) selectMore: > direct = DIRECT_UNKNOWN (always_direct to be checked) > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(373) > checkAlwaysDirectDone: DENIED > 2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(612) selectMore: GET > www.google.com > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(626) selectMore: > direct = DIRECT_UNKNOWN (never_direct to be checked) > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(345) > checkNeverDirectDone: DENIED > 2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(612) selectMore: GET > www.google.com > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(577) > checkNetdbDirect: MY RTT = 0 msec > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(578) > checkNetdbDirect: minimum_direct_rtt = 400 msec > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(585) > checkNetdbDirect: MY hops = 0 > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(586) > checkNetdbDirect: minimum_direct_hops = 4 > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(647) selectMore: > direct = DIRECT_MAYBE (default) > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(650) selectMore: > direct = DIRECT_MAYBE > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(286) > peerSelectIcpPing: http://www.google.com/ > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(297) > peerSelectIcpPing: counted 0 neighbors > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(833) > selectSomeParent: GET www.google.com > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1098) addSelection: > adding FIRSTUP_PARENT/authproxy.example.com > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1091) addSelection: > skipping ANY_OLD_PARENT/authproxy.example.com; have > FIRSTUP_PARENT/authproxy.example.com > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1091) addSelection: > skipping DEFAULT_PARENT/authproxy.example.com; have > FIRSTUP_PARENT/authproxy.example.com > 2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1098) addSelection: > adding HIER_DIRECT#www.google.com > 2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(460) resolveSelected: > Find IP destination for: http://www.google.com/' via authproxy.example.com > 2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1171) handlePath: > PeerSelector1 found conn11 local=0.0.0.0 remote=10.20.1.1:8080 > FIRSTUP_PARENT flags=1, destination #1 for http://www.google.com/ > 2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1177) handlePath: > always_direct = DENIED > 2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1178) handlePath: > never_direct = DENIED > 2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1179) handlePath: > timedout = 0 > 2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.523 kid1| 11,7| HttpRequest.cc(468) clearError: old: > ERR_NONE > 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(460) resolveSelected: > Find IP destination for: http://www.google.com/' via www.google.com > 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1171) handlePath: > PeerSelector1 found conn12 local=0.0.0.0 remote=172.217.23.100:80 > HIER_DIRECT flags=1, destination #2 for http://www.google.com/ > 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1177) handlePath: > always_direct = DENIED > 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1178) handlePath: > never_direct = DENIED > 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1179) handlePath: > timedout = 0 > 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(479) resolveSelected: > PeerSelector1 found all 2 destinations for http://www.google.com/ > 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(480) resolveSelected: > always_direct = DENIED > 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(481) resolveSelected: > never_direct = DENIED > 2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(482) resolveSelected: > timedout = 0 > 2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector1 > 2021/10/09 13:29:23.524 kid1| 44,3| peer_select.cc(241) ~PeerSelector: > http://www.google.com/ > 2021/10/09 13:29:23.526 kid1| 11,4| HttpRequest.cc(453) prepForPeering: > 0x1154cf0 to authproxy.example.com proxy > 2021/10/09 13:29:23.526 kid1| 11,3| http.cc(2486) httpStart: GET > http://www.google.com/ > 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(87) HttpStateData: > HttpStateData 0x12e9988 created > 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2367) sendRequest: conn13 > local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 > flags=1, request 0x1154cf0*6, this 0x12e9988. > 2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The > AsyncCall HttpStateData::httpTimeout constructed, this=0x12e8920 [call65] > 2021/10/09 13:29:23.527 kid1| 11,8| http.cc(1656) > maybeMakeSpaceAvailable: may read up to 65536 bytes info buf(0/65536) > from conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT > FD 13 flags=1 > 2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The > AsyncCall HttpStateData::readReply constructed, this=0x12f9c10 [call66] > 2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The > AsyncCall HttpStateData::wroteLast constructed, this=0x12f9cc0 [call67] > 2021/10/09 13:29:23.527 kid1| 11,8| http.cc(2309) decideIfWeDoRanges: > decideIfWeDoRanges: range specs: 0, cachable: 1; we_do_ranges: 0 > 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) > copyOneHeaderFromClientsideRequestToUpstreamRequest: > httpBuildRequestHeader: User-Agent: curl/7.75.0 > 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) > copyOneHeaderFromClientsideRequestToUpstreamRequest: > httpBuildRequestHeader: Accept: */* > 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) > copyOneHeaderFromClientsideRequestToUpstreamRequest: > httpBuildRequestHeader: Proxy-Connection: Keep-Alive > 2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) > copyOneHeaderFromClientsideRequestToUpstreamRequest: > httpBuildRequestHeader: Host: www.google.com > 2021/10/09 13:29:23.527 kid1| 11,5| peer_proxy_negotiate_auth.cc(539) > peer_proxy_negotiate_auth: Import gss name > 2021/10/09 13:29:23.527 kid1| 11,5| peer_proxy_negotiate_auth.cc(546) > peer_proxy_negotiate_auth: Initialize gss security context > 2021/10/09 13:29:23.531 kid1| 11,5| peer_proxy_negotiate_auth.cc(560) > peer_proxy_negotiate_auth: Got token with length 2568 > 2021/10/09 13:29:23.531 kid1| 11,2| http.cc(2442) sendRequest: HTTP > Server conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT > FD 13 flags=1 > 2021/10/09 13:29:23.531 kid1| 11,2| http.cc(2443) sendRequest: HTTP > Server REQUEST: > --------- > GET http://www.google.com/ HTTP/1.1 > User-Agent: curl/7.75.0 > Accept: */* > Host: www.google.com > Proxy-Authorization: Negotiate YIIK.... > Cache-Control: max-age=259200 > Connection: keep-alive > > > ---------- > 2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(96) ScheduleCall: > IoCallback.cc(131) will call HttpStateData::wroteLast(conn13 > local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 > flags=1, data=0x12e9988) [call67] > 2021/10/09 13:29:23.531 kid1| 11,5| AsyncCallQueue.cc(59) fireNext: > entering HttpStateData::wroteLast(conn13 local=10.10.1.1:36928 > remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988) > 2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(41) make: make call > HttpStateData::wroteLast [call67] > 2021/10/09 13:29:23.531 kid1| 11,5| AsyncJob.cc(122) callStart: > HttpStateData status in: [ job8] > 2021/10/09 13:29:23.531 kid1| 11,5| http.cc(1667) wroteLast: conn13 > local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 > flags=1: size 3611: errflag 0. > 2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The > AsyncCall HttpStateData::httpTimeout constructed, this=0xe34fa0 [call69] > 2021/10/09 13:29:23.531 kid1| 11,5| AsyncJob.cc(153) callEnd: > HttpStateData status out: [ job8] > 2021/10/09 13:29:23.531 kid1| 11,5| AsyncCallQueue.cc(61) fireNext: > leaving HttpStateData::wroteLast(conn13 local=10.10.1.1:36928 > remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988) > 2021/10/09 13:29:23.615 kid1| 11,5| AsyncCall.cc(96) ScheduleCall: > IoCallback.cc(131) will call HttpStateData::readReply(conn13 > local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 > flags=1, data=0x12e9988) [call66] > 2021/10/09 13:29:23.615 kid1| 11,5| AsyncCallQueue.cc(59) fireNext: > entering HttpStateData::readReply(conn13 local=10.10.1.1:36928 > remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988) > 2021/10/09 13:29:23.615 kid1| 11,5| AsyncCall.cc(41) make: make call > HttpStateData::readReply [call66] > 2021/10/09 13:29:23.615 kid1| 11,5| AsyncJob.cc(122) callStart: > HttpStateData status in: [ job8] > 2021/10/09 13:29:23.615 kid1| 11,5| http.cc(1215) readReply: conn13 > local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1 > 2021/10/09 13:29:23.615 kid1| ctx: enter level 0: 'http://www.google.com/' > 2021/10/09 13:29:23.615 kid1| 11,3| http.cc(666) processReplyHeader: > processReplyHeader: key '0200000000000000843D000001000000' > 2021/10/09 13:29:23.615 kid1| 11,2| http.cc(720) processReplyHeader: > HTTP Server conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 > FIRSTUP_PARENT FD 13 flags=1 > 2021/10/09 13:29:23.615 kid1| 11,2| http.cc(721) processReplyHeader: > HTTP Server RESPONSE: > --------- > HTTP/1.1 301 Moved Permanently > Location: https://www.google.com/ > Content-Length: 0 > Proxy-Connection: Keep-Alive > > ---------- > 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(119) setVirginReply: > 0x12e9988 setting virgin reply to 0x12fa850 > 2021/10/09 13:29:23.616 kid1| ctx: exit level 0 > 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(973) adaptOrFinalizeReply: > adaptationAccessCheckPending=0 > 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(139) setFinalReply: > 0x12e9988 setting final reply to 0x12fa850 > 2021/10/09 13:29:23.616 kid1| ctx: enter level 0: 'http://www.google.com/' > 2021/10/09 13:29:23.616 kid1| 11,3| http.cc(979) haveParsedReplyHeaders: > HTTP CODE: 301 > 2021/10/09 13:29:23.616 kid1| 11,3| http.cc(1054) > haveParsedReplyHeaders: decided: do not cache but share because refresh > check returned non-cacheable; HTTP status 301 e:=p2XIV/0x12e63f0*3 > 2021/10/09 13:29:23.616 kid1| ctx: exit level 0 > 2021/10/09 13:29:23.616 kid1| 11,2| Stream.cc(279) sendStartOfMessage: > HTTP Client conn10 local=127.0.0.1:3128 remote=127.0.0.1:45192 FD 12 > flags=1 > 2021/10/09 13:29:23.616 kid1| 11,2| Stream.cc(280) sendStartOfMessage: > HTTP Client REPLY: > --------- > HTTP/1.1 301 Moved Permanently > Location: https://www.google.com/ > Content-Length: 0 > Date: Sat, 09 Oct 2021 12:29:23 GMT > X-Cache: MISS from clientproxy > X-Cache-Lookup: MISS from clientproxy:3128 > Connection: keep-alive > > > ---------- > 2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1491) processReplyBody: > adaptationAccessCheckPending=0 > 2021/10/09 13:29:23.616 kid1| 11,3| http.cc(1154) persistentConnStatus: > conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 > flags=1 eof=0 > 2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1174) persistentConnStatus: > persistentConnStatus: content_length=0 > 2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1178) persistentConnStatus: > persistentConnStatus: clen=0 > 2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1537) processReplyBody: > processReplyBody: COMPLETE_PERSISTENT_MSG from conn13 > local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1 > 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(162) serverComplete: > serverComplete 0x12e9988 > 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(184) serverComplete2: > serverComplete2 0x12e9988 > 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(212) completeForwarding: > completing forwarding for 0x12e6e28*2 > 2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(586) cleanAdaptation: > cleaning ICAP; ACL: 0 > 2021/10/09 13:29:23.616 kid1| 11,5| http.cc(134) ~HttpStateData: > HttpStateData 0x12e9988 destroyed; > 2021/10/09 13:29:23.616 kid1| 11,5| AsyncCallQueue.cc(61) fireNext: > leaving HttpStateData::readReply(conn13 local=10.10.1.1:36928 > remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988) > 2021/10/09 13:29:27.287 kid1| 11,2| client_side.cc(1353) > parseHttpRequest: HTTP Client conn15 local=127.0.0.1:3128 > remote=127.0.0.1:45219 FD 12 flags=1 > 2021/10/09 13:29:27.287 kid1| 11,2| client_side.cc(1354) > parseHttpRequest: HTTP Client REQUEST: > --------- > GET http://www.google.com/ HTTP/1.1 > Host: www.google.com > User-Agent: curl/7.75.0 > Accept: */* > Proxy-Connection: Keep-Alive > > > ---------- > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(309) peerSelect: > e:=IV/0x12e63f0*2 http://www.google.com/ > 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector2 > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET > www.google.com > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(617) selectMore: > direct = DIRECT_UNKNOWN (always_direct to be checked) > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(373) > checkAlwaysDirectDone: DENIED > 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector2 > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET > www.google.com > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(626) selectMore: > direct = DIRECT_UNKNOWN (never_direct to be checked) > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(345) > checkNeverDirectDone: DENIED > 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector2 > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET > www.google.com > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(577) > checkNetdbDirect: MY RTT = 1 msec > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(578) > checkNetdbDirect: minimum_direct_rtt = 400 msec > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(644) selectMore: > direct = DIRECT_YES (checkNetdbDirect) > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(650) selectMore: > direct = DIRECT_YES > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(1098) addSelection: > adding HIER_DIRECT#www.google.com > 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector2 > 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(460) resolveSelected: > Find IP destination for: http://www.google.com/' via www.google.com > 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector2 > 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1171) handlePath: > PeerSelector2 found conn16 local=0.0.0.0 remote=172.217.23.100:80 > HIER_DIRECT flags=1, destination #1 for http://www.google.com/ > 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1177) handlePath: > always_direct = DENIED > 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1178) handlePath: > never_direct = DENIED > 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1179) handlePath: > timedout = 0 > 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector2 > 2021/10/09 13:29:27.287 kid1| 11,7| HttpRequest.cc(468) clearError: old: > ERR_NONE > 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector2 > 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector2 > 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(479) resolveSelected: > PeerSelector2 found all 1 destinations for http://www.google.com/ > 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(480) resolveSelected: > always_direct = DENIED > 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(481) resolveSelected: > never_direct = DENIED > 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(482) resolveSelected: > timedout = 0 > 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) > interestedInitiator: PeerSelector2 > 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(241) ~PeerSelector: > http://www.google.com/ > 2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(279) sendStartOfMessage: > HTTP Client conn15 local=127.0.0.1:3128 remote=127.0.0.1:45219 FD 12 > flags=1 > 2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(280) sendStartOfMessage: > HTTP Client REPLY: > --------- > HTTP/1.1 503 Service Unavailable > Server: squid/5.1-VCS > Mime-Version: 1.0 > Date: Sat, 09 Oct 2021 12:30:27 GMT > Content-Type: text/html;charset=utf-8 > Content-Length: 3573 > X-Squid-Error: ERR_CONNECT_FAIL 110 > Vary: Accept-Language > Content-Language: en > X-Cache: MISS from clientproxy > X-Cache-Lookup: MISS from clientproxy:3128 > Connection: keep-alive > > > ---------- > > > > > > > Thank you > Markus > > > > > > "Markus Moeller" wrote in message news:sjrrhc$lat$1@xxxxxxxxxxxxx... > > I understand now better the concept. > > Thank you > Markus > > > "Alex Rousskov" wrote in message > news:3dec529a-b62e-1e95-6cb7-0b68f6bf3c8d@xxxxxxxxxxxxxxxxxxxxxxx... > > On 10/8/21 8:02 PM, Markus Moeller wrote: > >> I try to setup a proxy chain, but don't get the setup right. I have one >> squid with 2 parents. One with auth for domainA.com and one w/o auth for >> the non local IPs (i.e. Internet). > >> With the below config I see domainA.com still going to the >> unauthenticated parent proxy. Any hint why ? > > Several factors can explain that, but I would start by rephrasing your > request routing requirements (and the corresponding configuration rules) > as mutually exclusive (if they are). Currently, you have formulated and > configured the equivalent of > > * send green traffic to auth-proxy > * send blue traffic to parent-proxy > > This approach leaves important questions like "What about yellow > traffic?" and "What about traffic with green and blue dots?" unanswered. > > If you want every request to go to either auth-proxy or parent-proxy, > then say so explicitly: > > # green (and only green!) traffic to auth-proxy > cache_peer_access auth-proxy allow green > cache_peer_access auth-proxy deny all > > # not green (and only not green!) traffic to parent-proxy > cache_peer_access auth-proxy deny green > cache_peer_access auth-proxy allow all > > What "green" means exactly in your case, I do not know (due to the > questions like those listed above). > > > If you want every request to go to either auth-proxy, parent-proxy, or > direct, then your rules will become a bit more complex, but all three > routes should still be mutually exclusive: > > # green (and only green) traffic to auth-proxy > # but exclude traffic that should go direct > cache_peer_access auth-proxy deny meantToGoDirect > cache_peer_access auth-proxy allow green > cache_peer_access auth-proxy deny all > > # not green (and only not green) traffic to parent-proxy > # but exclude traffic that should go direct > cache_peer_access auth-proxy deny meantToGoDirect > cache_peer_access auth-proxy deny green > cache_peer_access auth-proxy allow all > > # traffic that should go direct (and only that traffic) > # should always go direct > always_direct allow meantToGoDirect > always_direct deny all > > # traffic that should not go direct (and only that traffic) > # should never go direct > never_direct deny meantToGoDirect > never_direct allow all > > Disclaimer: The above configuration snippets are not complete, are not > tested, and can probably be reduced (some might say "simplified") if you > prefer to rely on certain defaults. See also: nonhierarchical_direct. > > Once you get the above working for plain HTTP requests that have > resolvable domain names as targets, please note that your listA ACL will > not work for requests that have IP addresses, including some CONNECT > requests that ask your Squid to tunnel HTTPS traffic. Your Squid may not > get any such requests, but if it does, then your "green" and > "meantToGoDirect" ACLs may need to be more complex than "dstdomain -n" > and "dst". > > > HTH, > > Alex. > P.S. I would not call the second proxy "parent-proxy" because both of > your proxies are configured as parent proxies. > > > >> # Recommended minimum configuration: >> # >> >> # Example rule allowing access from your local networks. >> # Adapt to list your (internal) IP networks from where browsing >> # should be allowed >> acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) >> acl localnet src 10.0.0.0/8 # RFC 1918 local private network >> (LAN) >> acl localnet src 100.64.0.0/10 # RFC 6598 shared address space >> (CGN) >> acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly >> plugged) machines >> acl localnet src 172.16.0.0/12 # RFC 1918 local private network >> (LAN) >> acl localnet src 192.168.0.0/16 # RFC 1918 local private network >> (LAN) >> acl localnet src fc00::/7 # RFC 4193 local private network >> range >> acl localnet src fe80::/10 # RFC 4291 link-local (directly >> plugged) machines >> >> acl localdst dst 10.0.0.0/8 # RFC 1918 local private network >> (LAN) >> acl localdst dst 100.64.0.0/10 # RFC 6598 shared address space >> (CGN) >> acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly >> plugged) machines >> acl localdst dst 172.16.0.0/12 # RFC 1918 local private network >> (LAN) >> acl localdst dst 192.168.0.0/16 # RFC 1918 local private network >> (LAN) >> acl localdst dst fc00::/7 # RFC 4193 local private network >> range >> acl localdst dst fe80::/10 # RFC 4291 link-local (directly >> plugged) machines >> >> acl listA dstdomain -n domainA.com >> >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> >> cache_peer auth-proxy parent 3128 0 no-query default login=NEGOTIATE >> cache_peer parent-proxy parent 3128 0 no-query default >> cache_peer_access auth-proxy allow listA >> cache_peer_access parent-proxy allow !localdst >> never_direct deny localdst >> never_direct allow all >> >> debug_options 44,10 11,20 >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users