[squid-users] Re: Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer
So the behaviour you are seeing looks more like a bug in always_direct processing. Which might be specific to the squid version OR the squid.conf in use. I have several squids of different versions with cache_peer in production. The config needs to be different: 2.7: hierarchy_stoplist cgi-bin ? always_direct deny fwd_youtube #So it might depend upon usage/type of ACL never_direct allow fwd_youtube #Needs both 3.3.11: hierarchy_stoplist cgi-bin ? never_direct allow all is sufficient. 3.4.5: hierarchy_stoplist cgi-bin ? never_direct allow all sufficient Willing to do some more research on this one in case of getting some instructions what to look at (special debug ?) -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Question-to-cache-peer-tp416p464.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer
Hassan definitely is correct. So, may be you just use a working config before trying alternatives: #ALL your ACL's first in squid.conf ! . cache_peer xx.xx.xx.xx parent 6139 0 no-query no-digest no-netdb-exchange never_direct allow all If this does not work, pls post your squid.conf again, as there were a few other annoyances. Any special messages in cache.log ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Question-to-cache-peer-tp416p441.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer
babajaga augustus_me...@yahoo.de schrieb am 04.07.2014 09:49:24: Von: babajaga augustus_me...@yahoo.de An: squid-users@squid-cache.org Datum: 04.07.2014 09:51 Betreff: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer Hassan definitely is correct. So, may be you just use a working config before trying alternatives: #ALL your ACL's first in squid.conf ! . cache_peer xx.xx.xx.xx parent 6139 0 no-query no-digest no-netdb-exchange never_direct allow all If this does not work, pls post your squid.conf again, as there were a few other annoyances. Any special messages in cache.log ? -- View this message in context: http://squid-web-proxy-cache. 1019090.n4.nabble.com/Question-to-cache-peer-tp416p441.html Sent from the Squid - Users mailing list archive at Nabble.com. Hi there, I've taken this 2 lines at the end of the config no impact ! My squid.conf bgstproxyls01:~ # cat /etc/squid/squid.conf # # Recommended minimum configuration: # acl snmppublic snmp_community squid snmp_port 3401 snmp_incoming_address xxx.xxx.xxx.xxx snmp_outgoing_address xxx.xxx.xxx.xxx snmp_access allow all client_db off half_closed_clients off via off cache_mem 4096 MB ipcache_size 2028 fqdncache_size 2048 hosts_file /etc/hosts memory_pools off maximum_object_size 50 MB quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off buffered_logs on #maximum_object_size 50 MB dns_nameservers xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx dns_nameservers xxx.xxx.xxx.xxx # acl manager proto cache_object # acl localhost src 127.0.0.1 # ::1 # acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 # ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # neu acl SSL method CONNECT acl CONNECT method CONNECT # erlaubte Seiten ohne Internetberechtigung acl open-sites dstdomain /etc/squid/open-sites.txt # erlaubte Seiten ohne Internetberechtigung # verbotene Seiten acl denied-sites url_regex /etc/squid/denied-sites.txt acl selling-sites url_regex /etc/squid/selling-sites.txt acl social-sites url_regex /etc/squid/social-sites.txt # verbotene Seiten acl allowedurls dstdomain /etc/squid/bypass.txt external_acl_type LDAPLookup children-startup=10 children-idle=30 children-max=80 ttl=600 negative_ttl=30 %LOGIN /usr/sbin/ext_ldap_group_acl -d -b dc=behrgroup,dc=net -D CN=BGST-S-SQUID,OU=Service Accounts,OU=bgst,OU=de,DC=behrgroup,DC=net -W /etc/squid/ppp -f ((objectclass=user)(sAMAccountName=%v)(memberof:1.2.840.113556.1.4.1941:=CN=%a,OU=groups,OU=Proxy,OU=Global Groups,DC=behrgroup,dc=net)) -h xxx.xxx.xxx.xxx ## DEBUGGING #debug_options 28,9 # local manager http_access allow manager localhost http_access deny manager # nur safe SSL ab hier http_access deny !Safe_ports http_access deny CONNECT !SSL_ports deny_info http://bgstproxyls01/denied.html denied-sites # Squid normally listens to port 3128 http_port 3128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Leave coredumps in the first cache dir coredump_dir /var/cache/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=BEHRGROUP.NET auth_param ntlm children 128 auth_param ntlm keep_alive off # Zeit-Steuerung für Indien acl indien proxy_auth external LDAPLookup GGPY-LO-Web-Time-Limited acl DAY time 05:30-13:30 # Zeit-Steuerung für Indien acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User acl auth proxy_auth REQUIRED
[squid-users] Re: Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer
OK, then we will have a look at the ACL-decisions (often a problem) and the peer selection within squid, using debug_options ALL,5 33,2 28,9 44,3 in squid.conf This will produce a detailed log about ACL processing, and peer selection, which is the most interesting. It will cause a lot of output to cache.log, so only to use it for a short period of time. In cache.log then simply search for peer_select and have a look around, why the parent cache is not chosen. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Question-to-cache-peer-tp416p444.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer
babajaga augustus_me...@yahoo.de schrieb am 04.07.2014 11:06:24: Von: babajaga augustus_me...@yahoo.de An: squid-users@squid-cache.org Datum: 04.07.2014 11:08 Betreff: [squid-users] Re: Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer OK, then we will have a look at the ACL-decisions (often a problem) and the peer selection within squid, using debug_options ALL,5 33,2 28,9 44,3 in squid.conf This will produce a detailed log about ACL processing, and peer selection, which is the most interesting. It will cause a lot of output to cache.log, so only to use it for a short period of time. In cache.log then simply search for peer_select and have a look around, why the parent cache is not chosen. -- View this message in context: http://squid-web-proxy-cache. 1019090.n4.nabble.com/Question-to-cache-peer-tp416p444.html Sent from the Squid - Users mailing list archive at Nabble.com. Hi babajaga (What a name ;-) log file looks fine: 2014/07/04 11:11:28.540 kid1| peer_select.cc(151) peerSelect: peerSelect: http://ecx.images-amazon.com/images/I/51F9heD9xiL._AC_AC_BR255_GR_SL50_.jpg 2014/07/04 11:11:28.540 kid1| peer_select.cc(435) peerSelectFoo: peerSelectFoo: 'GET ecx.images-amazon.com' 2014/07/04 11:11:28.540 kid1| peer_select.cc(446) peerSelectFoo: peerSelectFoo: direct = DIRECT_UNKNOWN (never_direct to be checked) 2014/07/04 11:11:28.540 kid1| peer_select.cc(184) peerCheckNeverDirectDone: peerCheckNeverDirectDone: ALLOWED 2014/07/04 11:11:28.540 kid1| peer_select.cc(190) peerCheckNeverDirectDone: direct = DIRECT_NO (never_direct allow) 2014/07/04 11:11:28.540 kid1| peer_select.cc(435) peerSelectFoo: peerSelectFoo: 'GET ecx.images-amazon.com' 2014/07/04 11:11:28.541 kid1| peer_select.cc(125) peerSelectIcpPing: peerSelectIcpPing: http://ecx.images-amazon.com/images/I/51F9heD9xiL._AC_AC_BR255_GR_SL50_.jpg 2014/07/04 11:11:28.541 kid1| peer_select.cc(136) peerSelectIcpPing: peerSelectIcpPing: counted 0 neighbors 2014/07/04 11:11:28.541 kid1| peer_select.cc(675) peerGetSomeParent: peerGetSomeParent: GET ecx.images-amazon.com 2014/07/04 11:11:28.541 kid1| peer_select.cc(699) peerGetSomeParent: peerSelect: FIRSTUP_PARENT/194.99.121.200 2014/07/04 11:11:28.541 kid1| peer_select.cc(724) peerGetAllParents: peerGetAllParents: adding alive parent 194.99.121.200 2014/07/04 11:11:28.541 kid1| peer_select.cc(265) peerSelectDnsPaths: Find IP destination for: http://ecx.images-amazon.com/images/I/51F9heD9xiL._AC_AC_BR255_GR_SL50_.jpg' via 194.99.121.200 2014/07/04 11:11:28.541 kid1| peer_select.cc(265) peerSelectDnsPaths: Find IP destination for: http://ecx.images-amazon.com/images/I/51F9heD9xiL._AC_AC_BR255_GR_SL50_.jpg' via 194.99.121.200 2014/07/04 11:11:28.541 kid1| peer_select.cc(286) peerSelectDnsPaths: Found sources for 'http://ecx.images-amazon.com/images/I/51F9heD9xiL._AC_AC_BR255_GR_SL50_.jpg' 2014/07/04 11:11:28.541 kid1| peer_select.cc(287) peerSelectDnsPaths: always_direct = DENIED 2014/07/04 11:11:28.541 kid1| peer_select.cc(288) peerSelectDnsPaths: never_direct = ALLOWED 2014/07/04 11:11:28.541 kid1| peer_select.cc(298) peerSelectDnsPaths: cache_peer = local=0.0.0.0 remote=194.99.121.200:3128 flags=1 2014/07/04 11:11:28.541 kid1| peer_select.cc(298) peerSelectDnsPaths: cache_peer = local=0.0.0.0 remote=194.99.121.200:3128 flags=1 2014/07/04 11:11:28.541 kid1| peer_select.cc(301) peerSelectDnsPaths: timedout = 0 2014/07/04 11:11:28.541 kid1| peer_select.cc(94) ~ps_state: http://ecx.images-amazon.com/images/I/51F9heD9xiL._AC_AC_BR255_GR_SL50_.jpg 2014/07/04 11:11:28.563 kid1| peer_select.cc(151) peerSelect: peerSelect: 2014/07/04 11:11:28.598 kid1| peer_select.cc(446) peerSelectFoo: peerSelectFoo: direct = DIRECT_UNKNOWN (never_direct to be checked) 2014/07/04 11:11:28.598 kid1| peer_select.cc(184) peerCheckNeverDirectDone: peerCheckNeverDirectDone: ALLOWED 2014/07/04 11:11:28.598 kid1| peer_select.cc(190) peerCheckNeverDirectDone: direct = DIRECT_NO (never_direct allow) 2014/07/04 11:11:28.598 kid1| peer_select.cc(435) peerSelectFoo: peerSelectFoo: 'GET gdecz.hit.gemius.pl' 2014/07/04 11:11:28.598 kid1| peer_select.cc(125) peerSelectIcpPing: peerSelectIcpPing: http://gdecz.hit.gemius.pl/gdejs/inscreen_lib.js 2014/07/04 11:11:28.598 kid1| peer_select.cc(136) peerSelectIcpPing: peerSelectIcpPing: counted 0 neighbors 2014/07/04 11:11:28.598 kid1| peer_select.cc(675) peerGetSomeParent: peerGetSomeParent: GET gdecz.hit.gemius.pl 2014/07/04 11:11:28.598 kid1| peer_select.cc(699) peerGetSomeParent: peerSelect: FIRSTUP_PARENT/194.99.121.200 2014/07/04 11:11:28.598 kid1| peer_select.cc(724) peerGetAllParents: peerGetAllParents: adding alive parent 194.99.121.200 2014/07/04 11:11:28.598 kid1| peer_select.cc(265) peerSelectDnsPaths: Find IP destination for: http://gdecz.hit.gemius.pl/gdejs/inscreen_lib.js' via 194.99.121.200 2014/07/04 11:11:28.598 kid1| peer_select.cc(265) peerSelectDnsPaths: Find IP
[squid-users] Re: Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer
So squid is exactly doing, what you are asking for: cache_peer = local=0.0.0.0 remote=194.99.121.200:3128 flags=1 But probably, this is not what you want, as it is the public IP on the web, the request is forwarded to. So you most likely should use an internal/local IP of your peer here, OR there is a problem with your routing. BTW: babajaga is a Russian witch. Sort of. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Question-to-cache-peer-tp416p446.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer
babajaga augustus_me...@yahoo.de schrieb am 04.07.2014 11:54:04: Von: babajaga augustus_me...@yahoo.de An: squid-users@squid-cache.org Datum: 04.07.2014 11:55 Betreff: [squid-users] Re: Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer So squid is exactly doing, what you are asking for: cache_peer = local=0.0.0.0 remote=194.99.121.200:3128 flags=1 But probably, this is not what you want, as it is the public IP on the web, the request is forwarded to. So you most likely should use an internal/local IP of your peer here, OR there is a problem with your routing. BTW: babajaga is a Russian witch. Sort of. -- View this message in context: http://squid-web-proxy-cache. 1019090.n4.nabble.com/Question-to-cache-peer-tp416p446.html Sent from the Squid - Users mailing list archive at Nabble.com. Hi babajaga the answer to my problem is: always_direct deny all never_direct allow all So, now all traffic is forwarded to the parent. Thank you for your help !! Mit freundlichen Grüßen / Kind regards Mr. Andreas Reschke andreas.resc...@mahle.com, http://www.mahle.com
Re: [squid-users] Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer
On 2014-07-05 00:12, andreas.resc...@mahle.com wrote: Hi babajaga the answer to my problem is: always_direct deny all never_direct allow all Also remove hierarchy_stoplist Amos
Re: [squid-users] Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer
Hi Amos, Should the wiki article http://wiki.squid-cache.org/Features/CacheHierarchy be updated so that the never_direct allow all is preceded by always_direct deny all? Regards HASSAN On Fri, Jul 4, 2014 at 6:47 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 2014-07-05 00:12, andreas.resc...@mahle.com wrote: Hi babajaga the answer to my problem is: always_direct deny all never_direct allow all Also remove hierarchy_stoplist Amos
Re: [squid-users] Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: [squid-users] Re: Antwort: Re: [squid-users] Question to cache_peer
On 2014-07-05 00:56, Nyamul Hassan wrote: Hi Amos, Should the wiki article http://wiki.squid-cache.org/Features/CacheHierarchy be updated so that the never_direct allow all is preceded by always_direct deny all? The default for always_direct is to drop through and obey never_direct. There may be a bug in your particular version if you need to set always_direct at all. You do need to remove hierarchical_stoplist and correctly set nonheirarchical_direct though. The wiki page is not quite making that clear. They should result in errors with never_direct deny all rather than going direct though. So the behaviour you are seeing looks more like a bug in always_direct processing. Amos Regards HASSAN On Fri, Jul 4, 2014 at 6:47 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 2014-07-05 00:12, andreas.resc...@mahle.com wrote: Hi babajaga the answer to my problem is: always_direct deny all never_direct allow all Also remove hierarchy_stoplist Amos