[squid-users] squid sibling peers and digest requests

Ivan Larionov xeron.oskom at gmail.com
Thu Dec 29 07:51:27 UTC 2016 

I'm sure about forwarding because I see requests to
http://172.22.15.88:3128/squid-internal-periodic/store_digest in parent
logs and my parent returns 502 because we do not allow requests to internal
IPs. Logs from the parent:

Got request: GET
http://172.22.15.88:3128/squid-internal-periodic/store_digest
Not allowing blacklisted IP 172.22.15.88
GET http://172.22.15.88:3128/squid-internal-periodic/store_digest 502 0ms

I do not have "global_internal_static off" in my config and also I'm able
to get http://172.22.15.88:3128/squid-internal-periodic/store_digest using
curl or telnet (with telnet I do "GET /squid-internal-periodic/store_digest"
– note relative URL).

However according to debug logs squid does this request using absolute URL
which probably works if target sibling can do direct requests (so it will
request itself for digest and return response to original squid). But I do
have "never_direct allow all" which probably makes sibling to forward such
request to a parent.

If my theory about absolute vs relative URL is correct then I believe
original squid should make store_digest request using relative URL (like I
can do with telnet) so sibling squid will return response right away w/o
asking itself for result.

This is more complete config (only stripped default things like localnet acls
/ http_access), note that I have 2 parents actually which I select based on
header (but all requests w/o header will go to the first parent), and also
have:

via off
never_direct allow all
forwarded_for off

# START CONFIG ====================

# Allow HTCP queries from local networks only
htcp_access allow localnet
htcp_access allow localhost
htcp_access deny all

# Other squids
cache_peer 172.22.15.88 sibling 3128 4827 htcp
cache_peer … sibling 3128 4827 htcp
acl siblings src 172.22.15.88/32
acl siblings src …/32
miss_access deny siblings

acl header_a req_header header_a -i true
acl header_b req_header header_b -i true

# name1 parent
cache_peer 127.0.0.1 parent 18070 0 no-query no-digest name=name1
cache_peer_access name1 deny header_a
cache_peer_access name1 deny header_b

# name2 parent
cache_peer 127.0.0.1 parent 18079 0 no-query no-digest name=name2
cache_peer_access name2 allow header_a
cache_peer_access name2 allow header_b
cache_peer_access name2 deny all

cache_mem …
maximum_object_size_in_memory …
memory_replacement_policy …
cache_replacement_policy …

cache_dir aufs … … 16 256

minimum_object_size … bytes # none-zero so we dont cache mistakes
maximum_object_size … KB

client_db off

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
# refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# don't cache errors
negative_ttl 0 minutes
# always fetch object from the beginning regardless of Range requests
range_offset_limit none
via off
cache_effective_user squid
cache_effective_group squid
# disable icp
icp_port 0
never_direct allow all
forwarded_for off

# END CONFIG ====================

On Wed, Dec 28, 2016 at 11:15 PM, Amos Jeffries <squid3 at treenet.co.nz>
wrote:

> On 2016-12-29 16:03, Ivan Larionov wrote:
>
>> Hello!
>>
>> I'm trying to setup multiple squids as siblings with a parent which is
>> not even a squid.
>>
>> But I'm getting following message in logs:
>>
>> temporary disabling (Bad Gateway) digest from 172.22.15.88
>>
>> temporary disabling (Bad Gateway) digest from …
>>
>> Squid 3.5.23, compiled with "--enable-cache-digests".
>>
>> For parent I'm setting no-digest, but I'd like to get digests between
>> siblings. However, it doesn't work and I probably found a reason after
>> reading debug logs:
>>
>> This is how squid does store_digest request from a sibling peer:
>>
>> GET http://172.22.15.88:3128/squid-internal-periodic/store_digest [1]
>> HTTP/1.1
>> Accept: application/cache-digest
>> Accept: text/html
>> X-Forwarded-For: unknown
>> Host: 172.22.15.88:3128 [2]
>> Cache-Control: max-age=259200
>> Connection: keep-alive
>>
>> Response (if I execute this request manually from telnet):
>>
>> HTTP/1.1 502 Bad Gateway
>>>>
>> This request has been forwarded to a parent and parent returned 502!
>>
>>
> Are you sure about that forwarding?
>  Its not being generated by the sibling?
>
>
> Now if I manually do the same request with a relative URL:
>>
>> GET /squid-internal-periodic/store_digest HTTP/1.1
>>>>
>> Response:
>>
>> HTTP/1.1 200 Cache Digest OK
>>>>
>> My setup:
>>
>> Multiple squids as siblings, one parent (not a squid).
>>
>> Peers configuration:
>>
>> # Other squids
>> cache_peer 172.22.15.88 sibling 3128 4827 htcp
>> cache_peer … sibling 3128 4827 htcp
>> acl siblings src 172.22.15.88/32 [3]
>> acl siblings src …/32
>> miss_access deny siblings
>>
>> # Parent
>> cache_peer 127.0.0.1 parent 18070 0 no-query no-digest name=NAME
>> cache_peer_access NAME deny some_acl
>>
>> Anyone else seen similar issue? Do you have an example of working
>> configuration with multiple siblings and enabled digests?
>>
>
> The default config usually just works.
>
> Do you have "global_internal_static off" in your squid.conf?
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
With best regards, Ivan Larionov.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161228/678804a0/attachment-0001.html>

More information about the squid-users mailing list