<div dir="ltr">I'm sure about forwarding because I see requests to <a href="http://172.22.15.88:3128/squid-internal-periodic/store_digest" rel="noreferrer" target="_blank" style="font-size:12.8px">http://172.22.15.88:3128/squid<wbr>-internal-periodic/store_diges<wbr>t</a><span style="color:rgb(80,0,80);font-size:12.8px"> in parent logs and my parent returns 502 because we do not allow requests to internal IPs. Logs from the parent:</span><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><div><span style="font-size:12.8px">Got request: GET <a href="http://172.22.15.88:3128/squid-internal-periodic/store_digest">http://172.22.15.88:3128/squid-internal-periodic/store_digest</a></span></div><div><span style="font-size:12.8px">Not allowing blacklisted IP 172.22.15.88</span></div><div><span style="font-size:12.8px">GET <a href="http://172.22.15.88:3128/squid-internal-periodic/store_digest">http://172.22.15.88:3128/squid-internal-periodic/store_digest</a> 502 0ms</span></div></font><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span style="color:rgb(80,0,80);font-size:12.8px">I do not have "</span><font color="#500050"><span style="font-size:12.8px">global_internal_static off" in my config and also I'm able to get </span></font><a href="http://172.22.15.88:3128/squid-internal-periodic/store_digest" rel="noreferrer" target="_blank" style="font-size:12.8px">http://172.22.15.88:3128/squid<wbr>-internal-periodic/store_diges<wbr>t</a><span style="color:rgb(80,0,80);font-size:12.8px"> using curl or telnet (with telnet I do "</span><span style="color:rgb(80,0,80);font-size:12.8px">GET /squid-internal-periodic/store</span><wbr style="color:rgb(80,0,80);font-size:12.8px"><span style="color:rgb(80,0,80);font-size:12.8px">_digest" – note relative URL</span><span style="color:rgb(80,0,80);font-size:12.8px">).</span></div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span style="color:rgb(80,0,80);font-size:12.8px">However according to debug logs squid does this request using absolute URL which probably works if target sibling can do direct requests (so it will request itself for digest and return response to original squid). But I do have "</span><font color="#500050"><span style="font-size:12.8px">never_direct allow all" which probably makes sibling to forward such request to a parent.</span></font></div></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px">If my theory about absolute vs relative URL is correct then I believe original squid should make </span></font><span style="color:rgb(80,0,80);font-size:12.8px">store_digest request using relative URL (like I can do with telnet) so sibling squid will return response right away w/o asking itself for result.</span></div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span style="color:rgb(80,0,80);font-size:12.8px">This is more complete config (only stripped default things like </span><span style="color:rgb(80,0,80);font-size:12.8px">localnet </span><span style="color:rgb(80,0,80);font-size:12.8px">acls / http_access), n</span><span style="color:rgb(80,0,80);font-size:12.8px">ote that I have 2 parents actually which I select based on header (but all requests w/o header will go to the first parent), and also have:</span></div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><div><font color="#500050"><span style="font-size:12.8px">via off</span></font></div><div><font color="#500050"><span style="font-size:12.8px">never_direct allow all</span></font></div><div><font color="#500050"><span style="font-size:12.8px">forwarded_for off</span></font></div></div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span style="color:rgb(80,0,80);font-size:12.8px"># START CONFIG ==========</span><span style="color:rgb(80,0,80);font-size:12.8px">==========</span></div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><div><font color="#500050"><span style="font-size:12.8px"># Allow HTCP queries from local networks only</span></font></div><div><font color="#500050"><span style="font-size:12.8px">htcp_access allow localnet</span></font></div><div><font color="#500050"><span style="font-size:12.8px">htcp_access allow localhost</span></font></div><div><font color="#500050"><span style="font-size:12.8px">htcp_access deny all</span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px"># Other squids</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_peer 172.22.15.88 sibling 3128 4827 htcp</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_peer … sibling 3128 4827 htcp</span></font></div><div><font color="#500050"><span style="font-size:12.8px">acl siblings src <a href="http://172.22.15.88/32">172.22.15.88/32</a></span></font></div><div><font color="#500050"><span style="font-size:12.8px">acl siblings src …/32</span></font></div><div><font color="#500050"><span style="font-size:12.8px">miss_access deny siblings</span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px">acl header_a req_header header_a -i true</span></font></div><div><font color="#500050"><span style="font-size:12.8px">acl header_b req_header header_b -i true</span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px"># name1 parent</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_peer 127.0.0.1 parent 18070 0 no-query no-digest name=name1</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_peer_access name1 deny header_a</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_peer_access name1 deny header_b</span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px"># name2 parent</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_peer 127.0.0.1 parent 18079 0 no-query no-digest name=name2</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_peer_access name2 allow header_a</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_peer_access name2 allow header_b</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_peer_access name2 deny all</span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_mem …</span></font></div><div><font color="#500050"><span style="font-size:12.8px">maximum_object_size_in_memory …</span></font></div><div><font color="#500050"><span style="font-size:12.8px">memory_replacement_policy …</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_replacement_policy …</span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_dir aufs … … 16 256</span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px">minimum_object_size … bytes # none-zero so we dont cache mistakes</span></font></div><div><font color="#500050"><span style="font-size:12.8px">maximum_object_size … KB</span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px">client_db off</span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px">refresh_pattern ^ftp: 1440 20% 10080</span></font></div><div><font color="#500050"><span style="font-size:12.8px">refresh_pattern ^gopher: 1440 0% 1440</span></font></div><div><font color="#500050"><span style="font-size:12.8px"># refresh_pattern -i (/cgi-bin/|\?) 0 0% 0</span></font></div><div><font color="#500050"><span style="font-size:12.8px">refresh_pattern . 0 20% 4320</span></font></div><div><font color="#500050"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px"># don't cache errors</span></font></div><div><font color="#500050"><span style="font-size:12.8px">negative_ttl 0 minutes</span></font></div><div><font color="#500050"><span style="font-size:12.8px"># always fetch object from the beginning regardless of Range requests</span></font></div><div><font color="#500050"><span style="font-size:12.8px">range_offset_limit none</span></font></div><div><font color="#500050"><span style="font-size:12.8px">via off</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_effective_user squid</span></font></div><div><font color="#500050"><span style="font-size:12.8px">cache_effective_group squid</span></font></div><div><font color="#500050"><span style="font-size:12.8px"># disable icp</span></font></div><div><font color="#500050"><span style="font-size:12.8px">icp_port 0</span></font></div><div><font color="#500050"><span style="font-size:12.8px">never_direct allow all</span></font></div><div><font color="#500050"><span style="font-size:12.8px">forwarded_for off</span></font></div><div style="color:rgb(80,0,80);font-size:12.8px"><br></div></div><div><span style="color:rgb(80,0,80);font-size:12.8px"># END CONFIG ==========</span><span style="color:rgb(80,0,80);font-size:12.8px">==========</span><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 28, 2016 at 11:15 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 2016-12-29 16:03, Ivan Larionov wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Hello!<br>
<br>
I'm trying to setup multiple squids as siblings with a parent which is<br>
not even a squid.<br>
<br>
But I'm getting following message in logs:<br>
<br>
temporary disabling (Bad Gateway) digest from 172.22.15.88<br>
<br>
temporary disabling (Bad Gateway) digest from …<br>
<br>
Squid 3.5.23, compiled with "--enable-cache-digests".<br>
<br>
For parent I'm setting no-digest, but I'd like to get digests between<br>
siblings. However, it doesn't work and I probably found a reason after<br>
reading debug logs:<br>
<br>
This is how squid does store_digest request from a sibling peer:<br>
<br></span>
GET <a href="http://172.22.15.88:3128/squid-internal-periodic/store_digest" rel="noreferrer" target="_blank">http://172.22.15.88:3128/squid<wbr>-internal-periodic/store_diges<wbr>t</a> [1]<span class=""><br>
HTTP/1.1<br>
Accept: application/cache-digest<br>
Accept: text/html<br>
X-Forwarded-For: unknown<br></span>
Host: <a href="http://172.22.15.88:3128" rel="noreferrer" target="_blank">172.22.15.88:3128</a> [2]<span class=""><br>
Cache-Control: max-age=259200<br>
Connection: keep-alive<br>
<br>
Response (if I execute this request manually from telnet):<br>
<br>
HTTP/1.1 502 Bad Gateway<br>
…<br>
<br>
This request has been forwarded to a parent and parent returned 502!<br>
<br>
</span></blockquote>
<br>
Are you sure about that forwarding?<br>
Its not being generated by the sibling?<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Now if I manually do the same request with a relative URL:<br>
<br>
GET /squid-internal-periodic/store<wbr>_digest HTTP/1.1<br>
…<br>
<br>
Response:<br>
<br>
HTTP/1.1 200 Cache Digest OK<br>
…<br>
<br>
My setup:<br>
<br>
Multiple squids as siblings, one parent (not a squid).<br>
<br>
Peers configuration:<br>
<br>
# Other squids<br>
cache_peer 172.22.15.88 sibling 3128 4827 htcp<br>
cache_peer … sibling 3128 4827 htcp<br></span>
acl siblings src <a href="http://172.22.15.88/32" rel="noreferrer" target="_blank">172.22.15.88/32</a> [3]<span class=""><br>
acl siblings src …/32<br>
miss_access deny siblings<br>
<br>
# Parent<br>
cache_peer 127.0.0.1 parent 18070 0 no-query no-digest name=NAME<br>
cache_peer_access NAME deny some_acl<br>
<br>
Anyone else seen similar issue? Do you have an example of working<br>
configuration with multiple siblings and enabled digests?<br>
</span></blockquote>
<br>
The default config usually just works.<br>
<br>
Do you have "global_internal_static off" in your squid.conf?<br>
<br>
Amos<br>
<br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">With best regards, Ivan Larionov.</div>
</div>