[squid-users] squid 5 and parent peers

Alex Rousskov rousskov at measurement-factory.com
Sat Oct 9 02:12:22 UTC 2021 

On 10/8/21 8:02 PM, Markus Moeller wrote:

> I try to setup a proxy chain, but don't get the setup right. I have one
> squid with 2 parents. One with auth for domainA.com and one w/o auth for
> the non local IPs (i.e. Internet).

> With the below config I see domainA.com still going to the
> unauthenticated parent proxy. Any hint why ?

Several factors can explain that, but I would start by rephrasing your
request routing requirements (and the corresponding configuration rules)
as mutually exclusive (if they are). Currently, you have formulated and
configured the equivalent of

* send green traffic to auth-proxy
* send blue traffic to parent-proxy

This approach leaves important questions like "What about yellow
traffic?" and "What about traffic with green and blue dots?" unanswered.

If you want every request to go to either auth-proxy or parent-proxy,
then say so explicitly:

# green (and only green!) traffic to auth-proxy
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all

# not green (and only not green!) traffic to parent-proxy
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all

What "green" means exactly in your case, I do not know (due to the
questions like those listed above).


If you want every request to go to either auth-proxy, parent-proxy, or
direct, then your rules will become a bit more complex, but all three
routes should still be mutually exclusive:

# green (and only green) traffic to auth-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all

# not green (and only not green) traffic to parent-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all

# traffic that should go direct (and only that traffic)
# should always go direct
always_direct allow meantToGoDirect
always_direct deny all

# traffic that should not go direct (and only that traffic)
# should never go direct
never_direct deny meantToGoDirect
never_direct allow all

Disclaimer: The above configuration snippets are not complete, are not
tested, and can probably be reduced (some might say "simplified") if you
prefer to rely on certain defaults. See also: nonhierarchical_direct.

Once you get the above working for plain HTTP requests that have
resolvable domain names as targets, please note that your listA ACL will
not work for requests that have IP addresses, including some CONNECT
requests that ask your Squid to tunnel HTTPS traffic. Your Squid may not
get any such requests, but if it does, then your "green" and
"meantToGoDirect" ACLs may need to be more complex than "dstdomain -n"
and "dst".


HTH,

Alex.
P.S. I would not call the second proxy "parent-proxy" because both of
your proxies are configured as parent proxies.



> # Recommended minimum configuration:
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8             # RFC 1918 local private network
> (LAN)
> acl localnet src 100.64.0.0/10          # RFC 6598 shared address space
> (CGN)
> acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly
> plugged) machines
> acl localnet src 172.16.0.0/12          # RFC 1918 local private network
> (LAN)
> acl localnet src 192.168.0.0/16         # RFC 1918 local private network
> (LAN)
> acl localnet src fc00::/7               # RFC 4193 local private network
> range
> acl localnet src fe80::/10              # RFC 4291 link-local (directly
> plugged) machines
> 
> acl localdst dst 10.0.0.0/8             # RFC 1918 local private network
> (LAN)
> acl localdst dst 100.64.0.0/10          # RFC 6598 shared address space
> (CGN)
> acl localdst dst 169.254.0.0/16         # RFC 3927 link-local (directly
> plugged) machines
> acl localdst dst 172.16.0.0/12          # RFC 1918 local private network
> (LAN)
> acl localdst dst 192.168.0.0/16         # RFC 1918 local private network
> (LAN)
> acl localdst dst fc00::/7               # RFC 4193 local private network
> range
> acl localdst dst fe80::/10              # RFC 4291 link-local (directly
> plugged) machines
> 
> acl listA dstdomain -n  domainA.com
> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> 
> cache_peer auth-proxy parent   3128 0  no-query default login=NEGOTIATE
> cache_peer parent-proxy parent   3128 0  no-query default
> cache_peer_access auth-proxy allow listA
> cache_peer_access parent-proxy allow !localdst
> never_direct deny localdst
> never_direct allow all
> 
> debug_options 44,10 11,20
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list