[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
Amos Jeffries
squid3 at treenet.co.nz
Thu Sep 17 04:50:35 UTC 2015
On 17/09/2015 4:36 a.m., Yuri Voinov wrote:
>
> Hm.
>
> If I understand correctly, the right configuration must be:
>
> # Privoxy+Tor access rules
> never_direct allow CONNECT
> never_direct allow tor_url
>
> # Local Privoxy is cache parent
> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>
> cache_peer_access 127.0.0.1 allow tor_url
> cache_peer_access 127.0.0.1 deny all
>
> Right?
>
> But:
>
> http://i.imgur.com/UMxt2vh.png
>
> Is CONNECT always requires DIRECT?
In the above yes. If you don't want that remove the never_direct for
CONNECT as well.
>
> I can't see FIRSTUP_PARENT for CONNECT in access log:
>
> 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT
> torproject.org:443 - HIER_DIRECT/154.35.132.70 -
> 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT
> torproject.org:443 - HIER_DIRECT/38.229.72.16 -
>
Those appear to be CONNECT requests which got ssl_bump'ed, not passed on
upstream. The access controls about how to pass things upstream are
irrelevant for them.
> Because of IP's banned by ISP, direct CONNECT got timeout.
>
> Also, all rot_url ACL can't connect.
>
> Where I'm wrong?
Where is the server IP coming from?
Amos
More information about the squid-users
mailing list