[squid-users] cache peer problem with two squid one Tproxy --->normal Porxy

Ahmed Allzaeem ahmed.zaeem at netstream.ps
Thu Nov 13 13:27:15 UTC 2014 

Hi Amos , thanks for all explanation.

But the problem solved when I added the following directives to the tproxy server :
##############################
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access All allow all
#############################


Now everything is working fine with with me

But one last thing I need.

I need the tproxy server forward the packet with the original ip of the clients .... I mean I want to still keeping the tproxy function whereas now all cliewnts to to the peer with the ip of the tproxy server.

I need each user go to the parent proxy with the original ip

Can I do it with directive ?

Again , here is the directive I put on the tproxy to go to to parent :

cache_peer 77.221.104.97  parent 3127 0 no-query no-digest no-tproxy proxy-only


thank you alot

-----Original Message-----
From: Amos Jeffries [mailto:squid3 at treenet.co.nz] 
Sent: Wednesday, November 12, 2014 6:55 PM
To: Ahmed Allzaeem; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] cache peer problem with two squid one Tproxy --->normal Porxy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13/11/2014 7:39 p.m., Ahmed Allzaeem wrote:
> Hi amos
> 
> I have changed the both hostnames on two servers :
> 
> [root at tproxy ~]# hostname tproxy.com
> 
> 
> [root at parent ~]# hostname parent.com
> 
> 

Good.

> but , as I told u last time I can see traffic "miss" on the normal 
> proxy , and "miss" on the tproxy server.
> 
> But it says access denied  from normal proxy
> 
> I mean on the normal proxy "parent" there is only miss and no Denied 
> hits , but it give me error access denid.

Just to double check. The access.log records a TCP_MISS/403 ?

 That is a "Access denied" error coming from the origin server.


PS. DENIED is rejection. HIT is acceptance. A single proxy cannot accept and reject at the same time.

> 
> Also I made sure that the ip of tproxy is allowed by acl on the normal 
> proxy"parent"
> 

Good.

> 
> Again , here is the  cache log @ the parent proxy , still says a loop 
> occurring :
> 
> 2014/11/12 23:33:24 kid1| WARNING: Forwarding loop detected for: 
> GET / HTTP/1.1

URL "/" is *not* a forward-proxy syntax URL. It is an origin server syntax URL.

This URL syntax should only ever be seen as the first (tproxy) configured proxy. Never at the parent. For the parent to receive this message syntax is an "Invalid Request" error.

This is therefore very, very strange.


> Host: abc.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64;
> rv:33.0) Gecko/20100101 Firefox/33.0 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Via:
> 1.1 squid (squid/3.4.3)

Notice how this is neither "tproxy.com" nor "parent.com" which your hostname is set to.

Lets try the shortcut for now and set visible_hostname in both proxies to the relevant tproxy.com//parent.com/


> X-Forwarded-For: 176.58.79.248 Cache-Control: max-age=259200
> Connection: keep-alive
> 

The *only* ways a normal forward-proxy parent could be recording
forwarding loops is:

1) Via header already contains its hostname.

2) the URL domain:port resolves in DNS to the proxy listening IP:port.

3) the parent proxy is configured to use itself as a cache_peer.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUZB2aAAoJELJo5wb/XPRjV7AIAI6OZaoaftNd2QoTVHb/6FB8
9rFKQLc1zRfLHTBCO0QM1tq4eph751Gk0SFnzzr0gNw9Mzbg6Tkbkrtkt1jtu33m
I0dQ5YOzJpcYhuZ1ufXoMXjV1ihcw33BQit1w80QV/rclQqlYSqMcHXfK1t0bR5n
B4oplYBSVxZ+1ttAAUFdVNp//yT7vrNGQezudEsxhkvqOpiaajZcIK5S3AT8msi1
/TYtOoWhVa/nkZDUxMa/BGzAaeq2SED/RQdgCZcCrvCRfbahzFc4nGAtcDho0HVZ
yFIYCN5vmEhYfg/0kEkLj4jgiJA9VpfwTOdAX9lGPEHGzO36f8h94lFZoPEFMJU=
=+YST
-----END PGP SIGNATURE-----

More information about the squid-users mailing list