[squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server?
Is anyone using squid successful as reverse proxy for Outlook Anywhere (RPC over https) and Active Sync for an Exchange 2010? Trying to use squid 3.2.0.13 to replace an ISA server forwarding RPC over https for Outlook Anywhere and Active Sync for Outlook mobile devices like Android and iPhone I had some success but problems with some Active Sync clients are still a show stopper. RPC over https works fine with that squid version. The problem is the very first http OPTIONS request for Active Sync which is using http Basic Authentication from an Android with TouchDown as client app. The cache.log shows the following request and response: Mobile sending: OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1 User-Agent: TouchDown(MSRPC)/7.1.00012/ TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/ Connection: keep-alive X-MS-PolicyKey: 0 MS-ASProtocolVersion: 2.5 Authorization: Basic dGVxx== Content-Length: 0 Host: webmail.domain.com Squid sending to IIS (Basic dGV... ist the same as above): OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1 User-Agent: TouchDown(MSRPC)/7.1.00012/ TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/ X-MS-PolicyKey: 0 MS-ASProtocolVersion: 2.5 Authorization: Basic dGVxxx== Content-Length: 0 Host: webmail.domain.com Surrogate-Capability: webmail.domain.com=Surrogate/1.0 Cache-Control: max-age=259200 Connection: keep-alive IIS responding: HTTP/1.1 401 Unauthorized Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Basic realm=webmail.domain.com X-Powered-By: ASP.NET Date: Wed, 18 Jan 2012 14:38:32 GMT Content-Length: 1344 There the connection is closed by the client. Maybe the headers added by squid are not accepted by IIS? Is there any parameter to disable adding Surrogate-Capability, Cache-Control and Connection to the forwarded request? /opt/squid32/sbin/squid -v Squid Cache: Version 3.2.0.13 configure options: '--prefix=/opt/squid32' '--enable-ssl' squid.conf: cache_effective_user squidext cache_effective_group squidext pid_filename /var/run/squidext.pid acl srcall src all acl EXCH dstdomain webmail.domain.com ssl_unclean_shutdown on httpd_suppress_version_string on cache_mgr noemailaddress visible_hostname webmail.domain.com # Internet connector https_port 172.17.200.25:443 accel cert=/etc/ssl/certs/webmail.domain.com.pem \ key=/etc/ssl/certs/webmail.domain.com.pem defaultsite=webmail.domain.com # destination server (IIS for Exchange) cache_peer 192.168.100.24 parent 443 0 \ ssl sslflags=DONT_VERIFY_PEER \ sslcert=/etc/ssl/certs/webmail.domain.com.pem sslkey=/etc/ssl/certs/webmail.domain.com.pem \ proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver \ login=PASSTHRU name=exchange forceddomain=webmail.domain.com debug_options ALL,2 logformat combined %a %[ui %[un [%tl] %rm %ru HTTP/%rv %Hs %st %{Referer}h %{User-Agent}h %Ss:%Sh access_log stdio:/var/log/squidext/access.log combined cache_log /var/log/squidext/cache.log never_direct allow EXCH http_access allow EXCH http_access deny srcall cache_peer_access exchange allow EXCH cache_peer_access exchange deny srcall via off forwarded_for transparent #eof
Re: [squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server?
On 19/01/2012 10:13 p.m., Isenberg, Holger wrote: Is anyone using squid successful as reverse proxy for Outlook Anywhere (RPC over https) and Active Sync for an Exchange 2010? Trying to use squid 3.2.0.13 to replace an ISA server forwarding RPC over https for Outlook Anywhere and Active Sync for Outlook mobile devices like Android and iPhone I had some success but problems with some Active Sync clients are still a show stopper. RPC over https works fine with that squid version. The problem is the very first http OPTIONS request for Active Sync which is using http Basic Authentication from an Android with TouchDown as client app. The cache.log shows the following request and response: Mobile sending: OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1 User-Agent: TouchDown(MSRPC)/7.1.00012/ TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/ Connection: keep-alive X-MS-PolicyKey: 0 MS-ASProtocolVersion: 2.5 Authorization: Basic dGVxx== Content-Length: 0 Host: webmail.domain.com Squid sending to IIS (Basic dGV... ist the same as above): OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1 User-Agent: TouchDown(MSRPC)/7.1.00012/ TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/ X-MS-PolicyKey: 0 MS-ASProtocolVersion: 2.5 Authorization: Basic dGVxxx== Content-Length: 0 Host: webmail.domain.com Surrogate-Capability: webmail.domain.com=Surrogate/1.0 Cache-Control: max-age=259200 Connection: keep-alive IIS responding: HTTP/1.1 401 Unauthorized Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Basic realm=webmail.domain.com X-Powered-By: ASP.NET Date: Wed, 18 Jan 2012 14:38:32 GMT Content-Length: 1344 There the connection is closed by the client. Maybe the headers added by squid are not accepted by IIS? Is there any parameter to disable adding Surrogate-Capability, Cache-Control and Connection to the forwarded request? 401 status means the header not being accepted is the Authorization: header. Connection is unchanged from what was passed to Squid, just re-positioned. Surrogate-Capability is a bit new yes, but HTTP requires ignoring unsupported headers. IIS would be incapable of performing regular HTTP traffic if it were that sensitive to unknown headers coming from clients. Weird stuff is the norm rather than the exception in HTTP. To debug further you can try opening a connection to IIS with telnet and send variations of those headers to it cut-n-paste style. Or use the squidclient tool to tailor the request particulars. Amos
[squid-users] Squid workers bug
Hi, When using squid 3.2.0.14, configured with 4 workers, i can see segfault from one of the workers (don't know why currently). squid3[6832]: segfault at 7fff4b271ff8 ip 005bb7e1 sp 7fff4b272000 error 6 in squid3[40+3c8000] Logs are plenty of : 2012/01/19 06:26:07 kid3| varyEvaluateMatch: Oops. Not a Vary object on second attempt, 'http://www.lefigaro.fr/scripts/FigaroTools.js?20110728' 'accept-encoding=gzip,%20deflate' 2012/01/19 06:26:07 kid3| clientProcessHit: Vary object loop! I would have expected that the squid coordinator restart the faulty worker, but it don't append. I can't see anything in the log regarding that. Is there a way to restart properly a worker? And what can i do to debug a faulty worker? Regards. -- Jean-Philippe Menil - Pôle réseau Service IRTS DSI Université de Nantes jean-philippe.me...@univ-nantes.fr Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09
RE: [squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server?
With using 3.1.18 now and login=PASS instead and added connection-auth=on, both in cache_peer, Active Sync can be used now. cache_peer 192.168.100.24 parent 443 0 \ ssl sslflags=DONT_VERIFY_PEER \ sslcert=/etc/ssl/certs/webmail.domain.com.pem sslkey=/etc/ssl/certs/webmail.domain.com.pem \ proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver \ login=PASS connection-auth=on name=exchange forceddomain=webmail.domain.com I'll reply again in a few days, if this configuration is stable... -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, January 19, 2012 11:13 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server? 401 status means the header not being accepted is the Authorization: header. Connection is unchanged from what was passed to Squid, just re-positioned. Surrogate-Capability is a bit new yes, but HTTP requires ignoring unsupported headers. IIS would be incapable of performing regular HTTP traffic if it were that sensitive to unknown headers coming from clients. Weird stuff is the norm rather than the exception in HTTP. To debug further you can try opening a connection to IIS with telnet and send variations of those headers to it cut-n-paste style. Or use the squidclient tool to tailor the request particulars. Amos
[squid-users] clientTryParseRequest: FD 12 Invalid Request | TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html | GET error:invalid-request
Hi All, I have been configuring a new Squid server today. The original configuration (without TProxy) worked fine.. DNAT from port 80 to 3128 at squid server.. The source server is where end-users establish a connection, The Squid server is (10.10.10.1) and The Client in question is (10.10.10.100) SOURCE SERVER: iptables -t nat -N cache /dev/null 21 iptables -t nat -F cache iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128 iptables -t nat -N cache_users /dev/null 21 iptables -t nat -F cache_users iptables -t nat -A PREROUTING -j cache_users iptables -t nat -A cache_users -s 10.10.10.100 -j cache iptables -t nat -L cache -nvx Now I wanted to use TProxy (so that the client address is shown rather than the squid server ip) - I made the following changes: SQUID SERVER Debian Squeeze 2.6.32-5-xen-amd64 + squid-2.7.STABLE9 + squid-2.7s9-tproxy-4.patch ./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid --srcdir=. --datadir=${prefix}/share/squid --sysconfdir=/etc/squid --enable-linux-netfilter --enable-linux-tproxy http_port 3128 http_port 3129 tproxy echo 1 /proc/sys/net/ipv4/ip_forward echo 2 /proc/sys/net/ipv4/conf/default/rp_filter echo 2 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter ip rule add fwmark 1 lookup 100 ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 AND TO THE SOURCE SERVER: FROM: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128 TO: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:80 Now the redirection is working... But all the requests are producing an error, invalid get request... == /var/log/squid/cache.log == 2012/01/19 15:35:46| clientTryParseRequest: FD 12 (10.10.10.100:58640) Invalid Request == /var/log/squid/access.log == 1326987346.801 0 10.10.10.100 TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html == /var/log/squid/store.log == 1326987346.801 RELEASE -1 45B97B27006C6BC283B7EC45B6A1A89C 400 1326987346 -1 -1 text/html 1820/1820 GET error:invalid-request Error displayed in browser: ERROR The requested URL could not be retrieved While trying to process the request: GET / HTTP/1.1 User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition United States Local; en) Presto/2.10.229 Version/11.60 Host: google.co.uk Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en-GB,en;q=0.9 Accept-Encoding: gzip, deflate Cookie: NID=55=nLRCbUnrM3C7dIaU0ZMwmU4sN89GspazHRw8hQfw8aPn-DoDA4HgTfiLubioA26TMXvjxdNRQqjNwtMsgy0PykVn1F0AqVEl5VQTuB-UNrT1Od9FNHefLUFn62bKTxDd; PREF=ID=2bc21a6253c0a51e:U=121832e3827d293d:FF=0:TM=1326808544:LM=1326808546:S=BIrQ44EQPGOaCNys Connection: Keep-Alive The following error was encountered: Invalid Request Some aspect of the HTTP Request is invalid. Possible problems: Missing or unknown request method Missing URL Missing HTTP Identifier (HTTP/1.0) Request is too large Content-Length missing for POST or PUT requests Illegal character in hostname; underscores are not allowed Your cache administrator is webmaster. Generated Thu, 19 Jan 2012 15:33:48 GMT by cache (squid/2.7.STABLE9) Any input would be greatly appreciated. Kind Regards, Sam
[squid-users] Running squid out of the router/gateway
Hello * I work at a small ISP. We give non routeable IPs 172.16/12 IPs to most of our customers, and some of them buys publics IPs from us. We have a squid box in the public segment of our network Until now we were NATing at mikrotiks outgoing tcp/80 connections to the squid public ip ( 200.45.94.2 ). This worked quite good, but lately we have an issue with forwarding loops such as: at cache.log 2011/11/20 15:15:09| WARNING: Forwarding loop detected for: POST /versioncheck.asp HTTP/1.1 Content-Type: application/x-www-form-urlencoded Pragma: no-cache Content-Length: 75 Via: 1.0 powerweb.iaconecta.com (squid/3.1.12) X-Forwarded-For: 200.45.94.7 Host: 200.45.94.2:31280 Cache-Control: max-age=259200 Connection: keep-alive And at access.log 1324811063.537 4 200.45.94.2 TCP_MISS/400 69381 POST http://200.45.94.2:31280/versioncheck.asp - DIRECT/200.45.94.2 text/html 1324811063.538 6 200.45.94.2 TCP_MISS/400 69467 POST http://200.45.94.2:31280/versioncheck.asp - DIRECT/200.45.94.2 text/html [] Reading at squid site, looks like NATting outgoing connections to a squid running on an other box is not a good idea. Questions: What is the suggested way to implement this scenario? How can I get rid of the loop? THanks in advance.
Re: [squid-users] Running squid out of the router/gateway
On 2012-01-19 17:37, Sebastian muniz wrote: Reading at squid site, looks like NATting outgoing connections to a squid running on an other box is not a good idea. Questions: What is the suggested way to implement this scenario? How can I get rid of the loop? THanks in advance. You might look at whether your routers support WCCP. http://en.wikipedia.org/wiki/Web_Cache_Communication_Protocol -- Message sent via my webmail account.
[squid-users] ufdbGuard v1.28 is out - check out the URL filter for Squid
ufdbGuard version 1.28 has been released on January 19, 2012. ufdbGuard is a URL filter for Squid with the following features: - filter web access based on rules for users, times, website category - works with free and commercial URL databases - can enforce SafeSearch for all major search engines - prohibits the use of SSH tunnels, VPNs, Tor, UltraSurf et al. - supports edufilter of YouTube - detects all major chat applications that use HTTPS - can enforce safer browsing for HTTPS sites - multithreaded and very fast ufdbGuard is Open Source Software and is free. It can be downloaded from http://sourceforge.net or http://www.urlfilterdb.com
[squid-users] Squid Sibling Proxy-Only Still Caching Locally
I am configuring squid caches to be siblings of each other and have gotten them to correctly communicate with each other from an ICP perspective and have one of the caches (B) pull content from another cache (A) that already had the object cached, but it seems when it pulls this object that it ends up caching it locally. When a subsequent request is made to cache B, it is found right away, logs a TCP_HIT and returns the object. I would have expected that request to make an ICP request to A again and then retrieve it from it but instead it was in its cache. I believe I verified this as well by looking on disk and there is then an object which did not exist prior. I thought by making the sibling proxy-only that would force to never cache from anything it received from a sibling, but it doesn't appear to be the case. Thanks Darren Cache A Config (without logging configurations) acl all src all acl manager proto cache_object debug_options ALL,1 33,2 cache_mem 4096 MB http_port 10.208.129.40:8060 accel defaultsite=mysite.com vport=80 cache_peer parent.com parent 7779 0 no-query originserver name=myAccel icp_port 3200 icp_access allow all cache_peer myhost sibling 8061 3201 name=myhost8061 proxy-only http_access allow all cache_peer_access myAccel allow all cache_peer_access myAccel deny all Cache A Log [01-18-2012:15:32:01] 1326922321.696 22 10.208.128.43 TCP_MISS/200 48646 GET joe.com/thumb.png - FIRST_UP_PARENT/myAccel image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-18-2012:15:32:14] 1326922334.204 2 10.208.128.43 TCP_HIT/200 48657 GET joe.com/thumb.png - NONE/- image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-18-2012:15:32:25] 1326922345.314 - 127.0.0.2 UDP_HIT/000 116 ICP_QUERY joe.com/thumb.png - NONE/- - PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- Cache B Config (without logging configurations) acl all src all acl manager proto cache_object debug_options ALL,1 33,2 cache_mem 4096 MB http_port 10.208.129.40:8061 accel defaultsite=mysite.com vport=80 cache_peer trp0001-08.int.westgroup.com parent 7779 0 no-query originserver name=myAccel icp_port 3201 icp_access allow all cache_peer myhost sibling 8060 3200 name=myhost8060 proxy-only http_access allow all cache_peer_access myAccel allow all cache_peer_access myAccel deny all Cache B Log [01-18-2012:15:32:01] 1326922321.674 - 127.0.0.2 UDP_MISS/000 116 ICP_QUERY joe.com/thumb.png - NONE/- - PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-18-2012:15:32:25] 1326922345.354 40 10.208.128.43 TCP_MISS/200 48646 GET joe.com/thumb.png - FIRST_UP_PARENT/myAccel image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-19-2012:15:39:31] 1327009171.018 2 10.208.128.43 TCP_HIT/200 48658 GET joe.com/thumb.png - NONE/- image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:-
Re: [squid-users] Running squid out of the router/gateway
On Thu, 2012-01-19 at 14:37 -0300, Sebastian muniz wrote: Reading at squid site, looks like NATting outgoing connections to a squid running on an other box is not a good idea. Questions: What is the suggested way to implement this scenario? How can I get rid of the loop? I use this script to transparently proxy on a box that isn't the firewall using a combination of iptables to set a mark and then iproute to change the default GW for packets with that mark set. The idea is that we first of all accept packets from the proxy so they don't get marked, and then we mark all packets going to port 80 and then redirect them to the proxy. On the proxy host you will need to accept and redirect the packets to the squid port. iptables -A PREROUTING -d 192.168.1.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 Transproxy script: #!/bin/sh cacheserver=192.168.1.2 cacheport=3128 wwwports=80 fwmark=3 routing_table=2 dev=br0 stop() { /sbin/ip rule del fwmark $fwmark table $routing_table /sbin/ip route del table $routing_table for port in $wwwports; do /sbin/iptables -t mangle -D PREROUTING -j ACCEPT -p tcp --dport $port -s $cacheserver /sbin/iptables -t mangle -D PREROUTING -j MARK --set-mark 3 -p tcp --dport $port done } start() { /sbin/ip rule add fwmark $fwmark table $routing_table /sbin/ip route add default via $cacheserver dev $dev table $routing_table for port in $wwwports; do /sbin/iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport $port -s $cacheserver /sbin/iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport $port done } case $1 in stop) stop ;; start) start ;; restart) stop start ;; esac -- Tim Fletcher t...@night-shade.org.uk
Re: [squid-users] Running squid out of the router/gateway
On 20/01/2012 1:11 p.m., Tim Fletcher wrote: On Thu, 2012-01-19 at 14:37 -0300, Sebastian muniz wrote: Reading at squid site, looks like NATting outgoing connections to a squid running on an other box is not a good idea. Questions: What is the suggested way to implement this scenario? How can I get rid of the loop? I use this script to transparently proxy on a box that isn't the firewall using a combination of iptables to set a mark and then iproute to change the default GW for packets with that mark set. The idea is that we first of all accept packets from the proxy so they don't get marked, and then we mark all packets going to port 80 and then redirect them to the proxy. Called policy routing and documented in the Squid wiki interception configs under that name. http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute On the proxy host you will need to accept and redirect the packets to the squid port. iptables -A PREROUTING -d 192.168.1.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 You are missing -t nat on those rules. Amos
Re: [squid-users] clientTryParseRequest: FD 12 Invalid Request | TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html | GET error:invalid-request
On 20/01/2012 6:02 a.m., Sam Beechey wrote: Hi All, I have been configuring a new Squid server today. The original configuration (without TProxy) worked fine.. DNAT from port 80 to 3128 at squid server.. The source server is where end-users establish a connection, The Squid server is (10.10.10.1) and The Client in question is (10.10.10.100 ) SOURCE SERVER: iptables -t nat -N cache/dev/null 21 iptables -t nat -F cache iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128 iptables -t nat -N cache_users/dev/null 21 iptables -t nat -F cache_users iptables -t nat -A PREROUTING -j cache_users iptables -t nat -A cache_users -s 10.10.10.100 -j cache iptables -t nat -L cache -nvx Now I wanted to use TProxy (so that the client address is shown rather than the squid server ip) - I made the following changes: SQUID SERVER Debian Squeeze 2.6.32-5-xen-amd64 + squid-2.7.STABLE9 + squid-2.7s9-tproxy-4.patch ./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid --srcdir=. --datadir=${prefix}/share/squid --sysconfdir=/etc/squid --enable-linux-netfilter --enable-linux-tproxy http_port 3128 http_port 3129 tproxy echo 1 /proc/sys/net/ipv4/ip_forward echo 2 /proc/sys/net/ipv4/conf/default/rp_filter echo 2 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter ip rule add fwmark 1 lookup 100 ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 AND TO THE SOURCE SERVER: FROM: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128 TO: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:80 Now the redirection is working... But all the requests are producing an error, invalid get request... NAT and TPROXY are multually exclusive systems. It is unclear whether this SOURCE SERVER is (a) the orign server providing the responses, or (b) a gateway server between the client and Squid. If (a), then the NAT happening on S will be erasing the IP addresses setup by TPROXY on the packets. Destroying your idea of getting the client IP to show up anywhere and bouncing the packets back to a Squid forward-proxy listening port which cannot handle origin server (reverse-proxy) formatted HTTP traffic. If (b), then the NAT is erasing the server IP address which packet routing relies on to determine where the packet is going once it leaves Squid. Making the packets go straight back to a Squid forward-proxy listening port which cannot handle origin server (reverse-proxy) formatted HTTP traffic. Either way results in: client -- ... --(TPROXY)-- Squid --Squid:3128 == /var/log/squid/cache.log== 2012/01/19 15:35:46| clientTryParseRequest: FD 12 (10.10.10.100:58640) Invalid Request == /var/log/squid/access.log== 1326987346.801 0 10.10.10.100 TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html These NONE:// say that Squid received a GET request from client 10.10.10.100 and rejected it as invalid HTTP before even getting to identify the URL fully. == /var/log/squid/store.log== 1326987346.801 RELEASE -1 45B97B27006C6BC283B7EC45B6A1A89C 400 1326987346-1-1 text/html 1820/1820 GET error:invalid-request Error displayed in browser: ERROR The requested URL could not be retrieved While trying to process the request: GET / HTTP/1.1 The URL / is a origin server format relative URL, not valid forward proxy absolute URL required by proxies. Squid cannot handle this arriving on port 3128. Amos
Re: [squid-users] Squid Sibling Proxy-Only Still Caching Locally
On 20/01/2012 10:41 a.m., darren.trzy...@thomsonreuters.com wrote: I am configuring squid caches to be siblings of each other and have gotten them to correctly communicate with each other from an ICP perspective and have one of the caches (B) pull content from another cache (A) that already had the object cached, but it seems when it pulls this object that it ends up caching it locally. When a subsequent request is made to cache B, it is found right away, logs a TCP_HIT and returns the object. I would have expected that request to make an ICP request to A again and then retrieve it from it but instead it was in its cache. I believe I verified this as well by looking on disk and there is then an object which did not exist prior. I thought by making the sibling proxy-only that would force to never cache from anything it received from a sibling, but it doesn't appear to be the case. Thanks Darren Cache A Config (without logging configurations) acl all src all acl manager proto cache_object debug_options ALL,1 33,2 cache_mem 4096 MB http_port 10.208.129.40:8060 accel defaultsite=mysite.com vport=80 cache_peer parent.com parent 7779 0 no-query originserver name=myAccel icp_port 3200 icp_access allow all cache_peer myhost sibling 8061 3201 name=myhost8061 proxy-only http_access allow all cache_peer_access myAccel allow all cache_peer_access myAccel deny all Cache A Log [01-18-2012:15:32:01] 1326922321.696 22 10.208.128.43 TCP_MISS/200 48646 GET joe.com/thumb.png - FIRST_UP_PARENT/myAccel image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- Note the *PARENT* is source. Not the sibling. [01-18-2012:15:32:14] 1326922334.204 2 10.208.128.43 TCP_HIT/200 48657 GET joe.com/thumb.png - NONE/- image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-18-2012:15:32:25] 1326922345.314 - 127.0.0.2 UDP_HIT/000 116 ICP_QUERY joe.com/thumb.png - NONE/- - PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- Note this last lookup was a UDP_HIT. But the sibling fetch which should have followed it is not listed. Cache B Config (without logging configurations) acl all src all acl manager proto cache_object debug_options ALL,1 33,2 cache_mem 4096 MB http_port 10.208.129.40:8061 accel defaultsite=mysite.com vport=80 cache_peer trp0001-08.int.westgroup.com parent 7779 0 no-query originserver name=myAccel icp_port 3201 icp_access allow all cache_peer myhost sibling 8060 3200 name=myhost8060 proxy-only http_access allow all cache_peer_access myAccel allow all cache_peer_access myAccel deny all Cache B Log [01-18-2012:15:32:01] 1326922321.674 - 127.0.0.2 UDP_MISS/000 116 ICP_QUERY joe.com/thumb.png - NONE/- - PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-18-2012:15:32:25] 1326922345.354 40 10.208.128.43 TCP_MISS/200 48646 GET joe.com/thumb.png - FIRST_UP_PARENT/myAccel image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- Note the *PARENT* is the source, not the sibling. Also, note the two requests above are completely unrelated to each other. The first is cacheB denying a sibling probe from cacheA. The second is cacheB serving an HTTP request from some client at 10.208.128.43. Amos