[squid-users] Squid does not send request to parent proxy

Alex Rousskov rousskov at measurement-factory.com
Thu Jan 17 16:43:09 UTC 2019 

On 1/17/19 8:28 AM, Troiano Alessio wrote:

> I'm not able to configure squid for using a parent proxy only for some domain. All the rest should be fetched directly. I tried this configuration:
> cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
> acl domainAT dstdomain voeazul.com.br
> cache_peer_access HUBATLDB allow domainAT
> never_direct allow domainAT

Does turning nonhierarchical_direct off help?

Alex.


> But the site www.voeazul.com.br is fetched direct. This is the access log:
> %SQUID-4: 172.31.0.82 59719 [17/Jan/2019:22:55:36 +0800] "CONNECT www.voeazul.com.br:443 HTTP/1.1" www.voeazul.com.br - - "-" 200 - 816 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" TCP_TUNNEL:HIER_DIRECT 23.77.9.57 443 53176
> 
> Can you help me?
> 
> Following the full conf:
> 
> #
> # Recommended minimum configuration:
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8# RFC1918 possible internal network
> acl localnet src 172.16.0.0/12# RFC1918 possible internal network
> acl localnet src 192.168.0.0/16# RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
> acl SOC_NET src 172.31.0.0/24# SOC Network
> acl SMD src 10.30.0.47/32    # SMD Proxy
> acl Proxy_HK src 172.31.2.64/27    # Proxy Hong Kong Network
> ignore_expect_100 on
> acl nocachesite dstdomain /etc/squid/nocachesite.acl
> 
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl SSL_ports port 2096         # INC000000012740
> acl SSL_ports port 9091
> acl SSL_ports port 9444         # INC000000013855
> acl SSL_ports port 6082
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443# https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210# wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280# http-mgmt
> acl Safe_ports port 488# gss-http
> acl Safe_ports port 591# filemaker
> acl Safe_ports port 777# multiling http
> acl CONNECT method CONNECT
> 
> forwarded_for delete
> tcp_outgoing_address 172.31.2.71 SMD
> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access allow manager SOC_NET
> http_access deny manager
> 
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> 
> cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
> acl domainAT dstdomain voeazul.com.br
> cache_peer_access HUBATLDB allow domainAT
> never_direct allow domainAT
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
> acl PURGE method PURGE
> http_access allow PURGE localhost
> http_access deny PURGE
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 0.0.0.0:8080
> 
> # We recommend you to use at least the following line.
> # migrated automatically by squid-migrate-conf, the original configuration was: hierarchy_stoplist cgi-bin ?
> 
> # Uncomment and adjust the following to add a disk cache directory.
> cache_effective_user squid
> cache_effective_group squid
> cache_dir diskd /home/squid 400000 64 512
> cache_mem 4 GB
> maximum_object_size_in_memory 2 MB
> minimum_object_size 0 KB
> maximum_object_size 100 MB
> cache_swap_low 96
> cache_swap_high 97
> memory_replacement_policy lru
> cache_replacement_policy heap LFUDA
> cache deny nocachesite
> cache allow all
> max_filedesc 8192
> 
> # Leave coredumps in the first cache dir
> coredump_dir /home/squid
> 
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:144020%10080
> refresh_pattern ^gopher:14400%1440
> refresh_pattern -i (/cgi-bin/|\?) 00%0
> refresh_pattern .020%4320
> 
> cache_mgr xxx at xxx.com
> 
> ### BEGIN LOG FOR SIEM ###
> 
> #logformat siem  %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %<a %>p
> #access_log /var/log/squid/access.log siem
> logformat custom_squid %%SQUID-4: %>a %>p [%tl] "%rm %ru HTTP/%rv" %<A %ui %un "%rp" %Hs %mt %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh %<a %<p %<lp
> access_log /var/log/squid/rsa/access.log custom_squid
> 
> ### END LOG FOR SIEM ###
> dns_v4_first on
> log_icp_queries off
> via off

More information about the squid-users mailing list