On Mon, 13 Dec 2004, Daniel Graupner wrote:
See Squid FAQ on how to use Squid inside a firewall.
I did, but in my testing environment there is no firewall at all. Between cache, peer and hosts is no firewall. Please give me more hints.
So your Squid which reported "Network unreachable" should be able to reach www.ibm.com without using any peer?
No, my squid is inside a local network so it can only reach webservers inside this network. To access the internet (e.g. ibm.com) it has to use a peer which is also inside the network.
Then this error indicates you have a basic network problem of some kind which prevents this Squid server from reaching the Internet proper. Quite likely missing routing.
Hmm, I don't think so. I'am able to reach ibm.com via squid and on the peer I see the query that squid made. But at the time I have questionmarks in the url squid no longer queries the peer and tries to go direct, which fails.
I read in the handbook that squid only goes direct when the peer is assumed to be down. This should not happen with "default no-query" in the cache peer directive.
This is ONE case where Squid goes direct, the other is when using peers does not make sense in terms of hit ratio, and then there is also some other cases.
OK, I have to investigate why squid tries to go direct in my case.
If your Squid is inside a firewall and not permitted to go direct you MUST tell this to Squid as per the instructions in the Squid FAQ.
thats what i'm doing:
acl homedst dst 192.168.0.0/24 127.0.0.1 acl alldst dst 0.0.0.0/0.0.0.0 cache_peer 192.168.0.1 parent 8080 3130 default no-query cache_peer_access 192.168.0.1 deny homedst cache_peer_access 192.168.0.1 allow alldst
Squid goes direct on URLs with ? in then as it is instructed these URLs is not cacheable in the squid.conf shipped with Squid. See the no_cache directive, but note that it is more or less REQUIRED by the HTTP RFC to handle such URLs as uncacheable.
yes i have the (standard) no_cache directive in my squid.conf
Squid does not log the query terms for security reasons, but it is only in the log where these are "missing". If you really want the query terms logged then see squid.conf.
K, I found the strip_query_terms directive, now its clear. For this one has to read the default conf, it is not mentioned in the userguide nor faq ;-(
If your Squid is not permitted to go direct then this must also be told, if not it assumes it is permitted to go direct when this would be "optimal" (in Squids opinion).
OK, I thought the cache_peer_access directives told squid when to go direct...but they also seem to be an suggestion. With never_direct etc. it works for me.
I see, one has to be familiar with Inter-Cache-Communication to completely understand squids behaviour. Thanks for your help, I should now be able to make it work now.
Regards, Daniel.
