[squid-users] squid 5 and parent peers

Markus Moeller huaraz at moeller.plus.com
Sat Oct 9 13:06:24 UTC 2021


Hi,

I have now tested with the below config and I see my first request works, 
but the second fails. So I am not sure if it is still a configuration issue 
or something else.


....
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network 
(LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space 
(CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly 
plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network 
(LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network 
(LAN)
acl localnet src fc00::/7               # RFC 4193 local private network 
range
acl localnet src fe80::/10              # RFC 4291 link-local (directly 
plugged) machines

#acl localdst dst 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localdst dst 10.0.0.0/8             # RFC 1918 local private network 
(LAN)
acl localdst dst 100.64.0.0/10          # RFC 6598 shared address space 
(CGN)
acl localdst dst 169.254.0.0/16         # RFC 3927 link-local (directly 
plugged) machines
acl localdst dst 172.16.0.0/12          # RFC 1918 local private network 
(LAN)
acl localdst dst 192.168.0.0/16         # RFC 1918 local private network 
(LAN)
acl localdst dst fc00::/7               # RFC 4193 local private network 
range
acl localdst dst fe80::/10              # RFC 4291 link-local (directly 
plugged) machines

acl google dstdomain -n .google.com

cache_peer internetproxy.example.com parent 8080 0 no-query no-digest 
no-netdb-exchange default
cache_peer authproxy.example.com parent 8080 0 no-query no-digest 
no-netdb-exchange default login=NEGOTIATE auth-no-keytab
# Only google to auth proxy
cache_peer_access authproxy.example.com deny localdst
cache_peer_access authproxy.example.com allow google
cache_peer_access authproxy.example.com deny all
# All other external domains
cache_peer_access internetproxy.example.com deny localdst
cache_peer_access internetproxy.example.com deny google
cache_peer_access internetproxy.example.com allow all
# Local goes direct
always_direct allow localdst
always_direct deny all
never_direct deny !localdst
never_direct allow all

debug_options 44,10 11,20

....

The first test looked fine:

#curl -vvv -x http://localhost:3128 http://www.google.com
* Uses proxy env variable no_proxy == 'localhost, 127.0.0.1'
*   Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128 (#0)
> GET http://www.google.com/ HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.75.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.com/
< Content-Length: 0
< Date: Sat, 09 Oct 2021 12:29:23 GMT
< X-Cache: MISS from clientproxy
< X-Cache-Lookup: MISS from clientproxy:3128
< Connection: keep-alive
<
* Connection #0 to host localhost left intact


Second request failed with a cache error:


#curl -vvv -x http://localhost:3128 http://www.google.com
* Uses proxy env variable no_proxy == 'localhost, 127.0.0.1'
*   Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128 (#0)
> GET http://www.google.com/ HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.75.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< Server: squid/5.1-VCS
< Mime-Version: 1.0
< Date: Sat, 09 Oct 2021 12:30:27 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3573
< X-Squid-Error: ERR_CONNECT_FAIL 110
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from clientproxy
< X-Cache-Lookup: MISS from clientproxy:3128
< Connection: keep-alive
<
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" 
http://www.w3.org/TR/html4/strict.dtd>
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2021 The Squid Software 
Foundation and contributors">
<meta http-equiv="Content-Type" CONTENT="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
.....


The cache log says:

2021/10/09 13:29:23.520 kid1| 11,2| client_side.cc(1353) parseHttpRequest: 
HTTP Client conn10 local=127.0.0.1:3128 remote=127.0.0.1:45192 FD 12 flags=1
2021/10/09 13:29:23.520 kid1| 11,2| client_side.cc(1354) parseHttpRequest: 
HTTP Client REQUEST:
---------
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive


----------
2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(309) peerSelect: 
e:=IV/0x12e63f0*2 http://www.google.com/
2021/10/09 13:29:23.520 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(612) selectMore: GET 
www.google.com
2021/10/09 13:29:23.520 kid1| 44,3| peer_select.cc(617) selectMore: direct = 
DIRECT_UNKNOWN (always_direct to be checked)
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(373) 
checkAlwaysDirectDone: DENIED
2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(612) selectMore: GET 
www.google.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(626) selectMore: direct = 
DIRECT_UNKNOWN (never_direct to be checked)
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(345) 
checkNeverDirectDone: DENIED
2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(612) selectMore: GET 
www.google.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(577) checkNetdbDirect: MY 
RTT = 0 msec
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(578) checkNetdbDirect: 
minimum_direct_rtt = 400 msec
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(585) checkNetdbDirect: MY 
hops = 0
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(586) checkNetdbDirect: 
minimum_direct_hops = 4
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(647) selectMore: direct = 
DIRECT_MAYBE (default)
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(650) selectMore: direct = 
DIRECT_MAYBE
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(286) peerSelectIcpPing: 
http://www.google.com/
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(297) peerSelectIcpPing: 
counted 0 neighbors
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(833) selectSomeParent: 
GET www.google.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1098) addSelection: 
adding FIRSTUP_PARENT/authproxy.example.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1091) addSelection: 
skipping ANY_OLD_PARENT/authproxy.example.com; have 
FIRSTUP_PARENT/authproxy.example.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1091) addSelection: 
skipping DEFAULT_PARENT/authproxy.example.com; have 
FIRSTUP_PARENT/authproxy.example.com
2021/10/09 13:29:23.523 kid1| 44,3| peer_select.cc(1098) addSelection: 
adding HIER_DIRECT#www.google.com
2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(460) resolveSelected: 
Find IP destination for: http://www.google.com/' via authproxy.example.com
2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1171) handlePath: 
PeerSelector1 found conn11 local=0.0.0.0 remote=10.20.1.1:8080 
FIRSTUP_PARENT flags=1, destination #1 for http://www.google.com/
2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1177) handlePath: 
always_direct = DENIED
2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1178) handlePath: 
never_direct = DENIED
2021/10/09 13:29:23.523 kid1| 44,2| peer_select.cc(1179) handlePath: 
timedout = 0
2021/10/09 13:29:23.523 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.523 kid1| 11,7| HttpRequest.cc(468) clearError: old: 
ERR_NONE
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(460) resolveSelected: 
Find IP destination for: http://www.google.com/' via www.google.com
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1171) handlePath: 
PeerSelector1 found conn12 local=0.0.0.0 remote=172.217.23.100:80 
HIER_DIRECT flags=1, destination #2 for http://www.google.com/
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1177) handlePath: 
always_direct = DENIED
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1178) handlePath: 
never_direct = DENIED
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(1179) handlePath: 
timedout = 0
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(479) resolveSelected: 
PeerSelector1 found all 2 destinations for http://www.google.com/
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(480) resolveSelected: 
always_direct = DENIED
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(481) resolveSelected: 
never_direct = DENIED
2021/10/09 13:29:23.524 kid1| 44,2| peer_select.cc(482) resolveSelected: 
timedout = 0
2021/10/09 13:29:23.524 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector1
2021/10/09 13:29:23.524 kid1| 44,3| peer_select.cc(241) ~PeerSelector: 
http://www.google.com/
2021/10/09 13:29:23.526 kid1| 11,4| HttpRequest.cc(453) prepForPeering: 
0x1154cf0 to authproxy.example.com proxy
2021/10/09 13:29:23.526 kid1| 11,3| http.cc(2486) httpStart: GET 
http://www.google.com/
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(87) HttpStateData: HttpStateData 
0x12e9988 created
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2367) sendRequest: conn13 
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, 
request 0x1154cf0*6, this 0x12e9988.
2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The 
AsyncCall HttpStateData::httpTimeout constructed, this=0x12e8920 [call65]
2021/10/09 13:29:23.527 kid1| 11,8| http.cc(1656) maybeMakeSpaceAvailable: 
may read up to 65536 bytes info buf(0/65536) from conn13 
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1
2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The 
AsyncCall HttpStateData::readReply constructed, this=0x12f9c10 [call66]
2021/10/09 13:29:23.527 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The 
AsyncCall HttpStateData::wroteLast constructed, this=0x12f9cc0 [call67]
2021/10/09 13:29:23.527 kid1| 11,8| http.cc(2309) decideIfWeDoRanges: 
decideIfWeDoRanges: range specs: 0, cachable: 1; we_do_ranges: 0
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) 
copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader: 
User-Agent: curl/7.75.0
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) 
copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader: 
Accept: */*
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) 
copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader: 
Proxy-Connection: Keep-Alive
2021/10/09 13:29:23.527 kid1| 11,5| http.cc(2113) 
copyOneHeaderFromClientsideRequestToUpstreamRequest: httpBuildRequestHeader: 
Host: www.google.com
2021/10/09 13:29:23.527 kid1| 11,5| peer_proxy_negotiate_auth.cc(539) 
peer_proxy_negotiate_auth: Import gss name
2021/10/09 13:29:23.527 kid1| 11,5| peer_proxy_negotiate_auth.cc(546) 
peer_proxy_negotiate_auth: Initialize gss security context
2021/10/09 13:29:23.531 kid1| 11,5| peer_proxy_negotiate_auth.cc(560) 
peer_proxy_negotiate_auth: Got token with length 2568
2021/10/09 13:29:23.531 kid1| 11,2| http.cc(2442) sendRequest: HTTP Server 
conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 
flags=1
2021/10/09 13:29:23.531 kid1| 11,2| http.cc(2443) sendRequest: HTTP Server 
REQUEST:
---------
GET http://www.google.com/ HTTP/1.1
User-Agent: curl/7.75.0
Accept: */*
Host: www.google.com
Proxy-Authorization: Negotiate YIIK....
Cache-Control: max-age=259200
Connection: keep-alive


----------
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(96) ScheduleCall: 
IoCallback.cc(131) will call HttpStateData::wroteLast(conn13 
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, 
data=0x12e9988) [call67]
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCallQueue.cc(59) fireNext: entering 
HttpStateData::wroteLast(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 
FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988)
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(41) make: make call 
HttpStateData::wroteLast [call67]
2021/10/09 13:29:23.531 kid1| 11,5| AsyncJob.cc(122) callStart: 
HttpStateData status in: [ job8]
2021/10/09 13:29:23.531 kid1| 11,5| http.cc(1667) wroteLast: conn13 
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1: 
size 3611: errflag 0.
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCall.cc(29) AsyncCall: The 
AsyncCall HttpStateData::httpTimeout constructed, this=0xe34fa0 [call69]
2021/10/09 13:29:23.531 kid1| 11,5| AsyncJob.cc(153) callEnd: HttpStateData 
status out: [ job8]
2021/10/09 13:29:23.531 kid1| 11,5| AsyncCallQueue.cc(61) fireNext: leaving 
HttpStateData::wroteLast(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 
FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988)
2021/10/09 13:29:23.615 kid1| 11,5| AsyncCall.cc(96) ScheduleCall: 
IoCallback.cc(131) will call HttpStateData::readReply(conn13 
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1, 
data=0x12e9988) [call66]
2021/10/09 13:29:23.615 kid1| 11,5| AsyncCallQueue.cc(59) fireNext: entering 
HttpStateData::readReply(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 
FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988)
2021/10/09 13:29:23.615 kid1| 11,5| AsyncCall.cc(41) make: make call 
HttpStateData::readReply [call66]
2021/10/09 13:29:23.615 kid1| 11,5| AsyncJob.cc(122) callStart: 
HttpStateData status in: [ job8]
2021/10/09 13:29:23.615 kid1| 11,5| http.cc(1215) readReply: conn13 
local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1
2021/10/09 13:29:23.615 kid1| ctx: enter level  0: 'http://www.google.com/'
2021/10/09 13:29:23.615 kid1| 11,3| http.cc(666) processReplyHeader: 
processReplyHeader: key '0200000000000000843D000001000000'
2021/10/09 13:29:23.615 kid1| 11,2| http.cc(720) processReplyHeader: HTTP 
Server conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 
13 flags=1
2021/10/09 13:29:23.615 kid1| 11,2| http.cc(721) processReplyHeader: HTTP 
Server RESPONSE:
---------
HTTP/1.1 301 Moved Permanently
Location: https://www.google.com/
Content-Length: 0
Proxy-Connection: Keep-Alive

----------
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(119) setVirginReply: 0x12e9988 
setting virgin reply to 0x12fa850
2021/10/09 13:29:23.616 kid1| ctx: exit level  0
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(973) adaptOrFinalizeReply: 
adaptationAccessCheckPending=0
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(139) setFinalReply: 0x12e9988 
setting final reply to 0x12fa850
2021/10/09 13:29:23.616 kid1| ctx: enter level  0: 'http://www.google.com/'
2021/10/09 13:29:23.616 kid1| 11,3| http.cc(979) haveParsedReplyHeaders: 
HTTP CODE: 301
2021/10/09 13:29:23.616 kid1| 11,3| http.cc(1054) haveParsedReplyHeaders: 
decided: do not cache but share because refresh check returned 
non-cacheable; HTTP status 301 e:=p2XIV/0x12e63f0*3
2021/10/09 13:29:23.616 kid1| ctx: exit level  0
2021/10/09 13:29:23.616 kid1| 11,2| Stream.cc(279) sendStartOfMessage: HTTP 
Client conn10 local=127.0.0.1:3128 remote=127.0.0.1:45192 FD 12 flags=1
2021/10/09 13:29:23.616 kid1| 11,2| Stream.cc(280) sendStartOfMessage: HTTP 
Client REPLY:
---------
HTTP/1.1 301 Moved Permanently
Location: https://www.google.com/
Content-Length: 0
Date: Sat, 09 Oct 2021 12:29:23 GMT
X-Cache: MISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive


----------
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1491) processReplyBody: 
adaptationAccessCheckPending=0
2021/10/09 13:29:23.616 kid1| 11,3| http.cc(1154) persistentConnStatus: 
conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 
flags=1 eof=0
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1174) persistentConnStatus: 
persistentConnStatus: content_length=0
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1178) persistentConnStatus: 
persistentConnStatus: clen=0
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(1537) processReplyBody: 
processReplyBody: COMPLETE_PERSISTENT_MSG from conn13 local=10.10.1.1:36928 
remote=10.20.1.1:8080 FIRSTUP_PARENT FD 13 flags=1
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(162) serverComplete: 
serverComplete 0x12e9988
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(184) serverComplete2: 
serverComplete2 0x12e9988
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(212) completeForwarding: 
completing forwarding for 0x12e6e28*2
2021/10/09 13:29:23.616 kid1| 11,5| Client.cc(586) cleanAdaptation: cleaning 
ICAP; ACL: 0
2021/10/09 13:29:23.616 kid1| 11,5| http.cc(134) ~HttpStateData: 
HttpStateData 0x12e9988 destroyed;
2021/10/09 13:29:23.616 kid1| 11,5| AsyncCallQueue.cc(61) fireNext: leaving 
HttpStateData::readReply(conn13 local=10.10.1.1:36928 remote=10.20.1.1:8080 
FIRSTUP_PARENT FD 13 flags=1, data=0x12e9988)
2021/10/09 13:29:27.287 kid1| 11,2| client_side.cc(1353) parseHttpRequest: 
HTTP Client conn15 local=127.0.0.1:3128 remote=127.0.0.1:45219 FD 12 flags=1
2021/10/09 13:29:27.287 kid1| 11,2| client_side.cc(1354) parseHttpRequest: 
HTTP Client REQUEST:
---------
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive


----------
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(309) peerSelect: 
e:=IV/0x12e63f0*2 http://www.google.com/
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET 
www.google.com
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(617) selectMore: direct = 
DIRECT_UNKNOWN (always_direct to be checked)
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(373) 
checkAlwaysDirectDone: DENIED
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET 
www.google.com
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(626) selectMore: direct = 
DIRECT_UNKNOWN (never_direct to be checked)
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(345) 
checkNeverDirectDone: DENIED
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(612) selectMore: GET 
www.google.com
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(577) checkNetdbDirect: MY 
RTT = 1 msec
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(578) checkNetdbDirect: 
minimum_direct_rtt = 400 msec
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(644) selectMore: direct = 
DIRECT_YES (checkNetdbDirect)
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(650) selectMore: direct = 
DIRECT_YES
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(1098) addSelection: 
adding HIER_DIRECT#www.google.com
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(460) resolveSelected: 
Find IP destination for: http://www.google.com/' via www.google.com
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1171) handlePath: 
PeerSelector2 found conn16 local=0.0.0.0 remote=172.217.23.100:80 
HIER_DIRECT flags=1, destination #1 for http://www.google.com/
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1177) handlePath: 
always_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1178) handlePath: 
never_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1179) handlePath: 
timedout = 0
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 11,7| HttpRequest.cc(468) clearError: old: 
ERR_NONE
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(479) resolveSelected: 
PeerSelector2 found all 1 destinations for http://www.google.com/
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(480) resolveSelected: 
always_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(481) resolveSelected: 
never_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(482) resolveSelected: 
timedout = 0
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(241) ~PeerSelector: 
http://www.google.com/
2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(279) sendStartOfMessage: HTTP 
Client conn15 local=127.0.0.1:3128 remote=127.0.0.1:45219 FD 12 flags=1
2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(280) sendStartOfMessage: HTTP 
Client REPLY:
---------
HTTP/1.1 503 Service Unavailable
Server: squid/5.1-VCS
Mime-Version: 1.0
Date: Sat, 09 Oct 2021 12:30:27 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3573
X-Squid-Error: ERR_CONNECT_FAIL 110
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive


----------






Thank you
Markus





"Markus Moeller"  wrote in message news:sjrrhc$lat$1 at ciao.gmane.io...

I understand now better the concept.

Thank you
Markus


"Alex Rousskov"  wrote in message
news:3dec529a-b62e-1e95-6cb7-0b68f6bf3c8d at measurement-factory.com...

On 10/8/21 8:02 PM, Markus Moeller wrote:

> I try to setup a proxy chain, but don't get the setup right. I have one
> squid with 2 parents. One with auth for domainA.com and one w/o auth for
> the non local IPs (i.e. Internet).

> With the below config I see domainA.com still going to the
> unauthenticated parent proxy. Any hint why ?

Several factors can explain that, but I would start by rephrasing your
request routing requirements (and the corresponding configuration rules)
as mutually exclusive (if they are). Currently, you have formulated and
configured the equivalent of

* send green traffic to auth-proxy
* send blue traffic to parent-proxy

This approach leaves important questions like "What about yellow
traffic?" and "What about traffic with green and blue dots?" unanswered.

If you want every request to go to either auth-proxy or parent-proxy,
then say so explicitly:

# green (and only green!) traffic to auth-proxy
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all

# not green (and only not green!) traffic to parent-proxy
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all

What "green" means exactly in your case, I do not know (due to the
questions like those listed above).


If you want every request to go to either auth-proxy, parent-proxy, or
direct, then your rules will become a bit more complex, but all three
routes should still be mutually exclusive:

# green (and only green) traffic to auth-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all

# not green (and only not green) traffic to parent-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all

# traffic that should go direct (and only that traffic)
# should always go direct
always_direct allow meantToGoDirect
always_direct deny all

# traffic that should not go direct (and only that traffic)
# should never go direct
never_direct deny meantToGoDirect
never_direct allow all

Disclaimer: The above configuration snippets are not complete, are not
tested, and can probably be reduced (some might say "simplified") if you
prefer to rely on certain defaults. See also: nonhierarchical_direct.

Once you get the above working for plain HTTP requests that have
resolvable domain names as targets, please note that your listA ACL will
not work for requests that have IP addresses, including some CONNECT
requests that ask your Squid to tunnel HTTPS traffic. Your Squid may not
get any such requests, but if it does, then your "green" and
"meantToGoDirect" ACLs may need to be more complex than "dstdomain -n"
and "dst".


HTH,

Alex.
P.S. I would not call the second proxy "parent-proxy" because both of
your proxies are configured as parent proxies.



> # Recommended minimum configuration:
> #
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8             # RFC 1918 local private network
> (LAN)
> acl localnet src 100.64.0.0/10          # RFC 6598 shared address space
> (CGN)
> acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly
> plugged) machines
> acl localnet src 172.16.0.0/12          # RFC 1918 local private network
> (LAN)
> acl localnet src 192.168.0.0/16         # RFC 1918 local private network
> (LAN)
> acl localnet src fc00::/7               # RFC 4193 local private network
> range
> acl localnet src fe80::/10              # RFC 4291 link-local (directly
> plugged) machines
>
> acl localdst dst 10.0.0.0/8             # RFC 1918 local private network
> (LAN)
> acl localdst dst 100.64.0.0/10          # RFC 6598 shared address space
> (CGN)
> acl localdst dst 169.254.0.0/16         # RFC 3927 link-local (directly
> plugged) machines
> acl localdst dst 172.16.0.0/12          # RFC 1918 local private network
> (LAN)
> acl localdst dst 192.168.0.0/16         # RFC 1918 local private network
> (LAN)
> acl localdst dst fc00::/7               # RFC 4193 local private network
> range
> acl localdst dst fe80::/10              # RFC 4291 link-local (directly
> plugged) machines
>
> acl listA dstdomain -n  domainA.com
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
>
> cache_peer auth-proxy parent   3128 0  no-query default login=NEGOTIATE
> cache_peer parent-proxy parent   3128 0  no-query default
> cache_peer_access auth-proxy allow listA
> cache_peer_access parent-proxy allow !localdst
> never_direct deny localdst
> never_direct allow all
>
> debug_options 44,10 11,20
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 




More information about the squid-users mailing list