On Mon, 19 Jul 2004, Merton Campbell Crockett wrote:
> acl GDAIS .gd-ais.com
> never_direct allow !GDAIS
For clarity you should probably use
never_direct deny GDAIS
never_direct allow all
or maybe (depending on what it is you are doing)
always_direct allow GDAIS
never_direct allow all
> These were followed by state flags(?) for always_direct, never_direct, and
> timeout. One question that I have is what are the meanings of the states?
>
> always_direct = -1 always_direct = 0
> never_direct = 1
these indicates the results of the always_direct & never_direct
directives.
-1 == deny
0 == no access list configured (same as deny)
1 == allow
> timeout = 1 timeout = 0
And this indicates that of the ICP peers it had available where to forward
the request there was at least one timeout.
> What is the interaction between 'cache_peer_domain' and 'never_direct'?
None really.
cache_peer_domain (or preferably cache_peer_access) controls what requests
MAY be sent to a specific peer. Default is that all requests may be sent
to the peer.
never_direct tells what requests Squid MUST (allow) or MAY (deny) send to
a cache_peer from the peers where cache_peer_access (or _domain) allows
the request to be forwarded. Default is deny (MAY send requests to peers,
direct otherwise).
always_direct tells what requests Squid MUST (allow) or MAY (deny) send
directly to the origin server. Default is deny (MAY send requests
directly, if not sent to a peer).
> I had, apparently, implemented something similar to 'never_direct' years
> ago using 'cache_peer_domain'. This defined which Squid proxy server
> should be used to access content on our internal WAN and appears to
> create a conflict with 'never_direct'.
You can not implement never_direct like functionality with
cache_peer_domain, only always_direct like functionality.
always_direct allow
is the same as denying the request to be forwarded to any peer and not
enforcing peer forwarding by never_direct allow.
> Finally, do the rules for origin servers also apply to Squid proxies?
Which rules?
> The error messages displayed in the browser seem to indicate that is
> the case.
The error displayed in response to "Failed to select source"? This is just
stating the fact that your configuration does not allow this request to be
sent directly to the origin server (never_direct allow), and none of the
peers is capable or allowed to forward the request.
Regards
Henrik
