[squid-users] Squid does not send request to parent proxy
Amos Jeffries
squid3 at treenet.co.nz
Fri Jan 18 09:07:36 UTC 2019
On 18/01/19 4:28 am, Troiano Alessio wrote:
> Hello all,
> I'm not able to configure squid for using a parent proxy only for some domain. All the rest should be fetched directly. I tried this configuration:
> cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
> acl domainAT dstdomain voeazul.com.br
> cache_peer_access HUBATLDB allow domainAT
> never_direct allow domainAT
That is the correct design. It does not work for you because you put
the wrong domain name in the domainAT ACL.
Look at the log carefully. See how the domain the client is asking for
is actually "www.voeazul.com.br". Even a single character difference
makes it an entirely different domain name - the "www." bit matters.
If you want domainAT to do exact-match then you need to add the www.*
sub-domain to the list. Like this:
acl domainAT dstdomain voeazul.com.br www.voeazul.com.br
Or, you can use a wildcard (start with a '.') to match that domain and
all its sub-domains. Like this:
acl domainAT dstdomain .voeazul.com.br
>
> But the site www.voeazul.com.br is fetched direct. This is the access log:
> %SQUID-4: 172.31.0.82 59719 [17/Jan/2019:22:55:36 +0800] "CONNECT www.voeazul.com.br:443 HTTP/1.1" www.voeazul.com.br - - "-" 200 - 816 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" TCP_TUNNEL:HIER_DIRECT 23.77.9.57 443 53176
>
> Can you help me?
>
What Squid version are you using?
I see config options which are only valid for Squid-3.1 your setup. If
you are using an old Squid please try an upgrade, or start planning to
do one. There are many security vulnerabilities which affect those very
old Squid-3 and some cannot be fixed there, so even versions with LTS
security support are vulnerable.
Cheers
Amos
More information about the squid-users
mailing list