<div dir="ltr">Ok, sorry for so many messages. This is the last one :)<div><br></div><div>In the end what helped was this:<div><br></div><div><div>acl internal_digest urlpath_regex +i ^/squid-internal-periodic/store_digest$</div><div>always_direct allow internal_digest</div><div>never_direct deny internal_digest</div></div><div><br></div><div>So Amos' original idea with ACL was correct, I just had to adjust it a bit.</div><div><br></div><div>Looks like "never_direct allow all" which I have later in config affects store_digest requests. Not sure if it's a bug or feature.</div><div><br></div><div>Thank you for helping again.</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 29, 2016 at 4:15 PM, Ivan Larionov <span dir="ltr"><<a href="mailto:xeron.oskom@gmail.com" target="_blank">xeron.oskom@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Here are some debug logs from FwdState which handles digest request.<div><br></div><div>172.22.13.210 – original squid</div><div>172.22.8.145 – sibling squid<br></div><div><a href="http://127.0.0.1:18070" target="_blank">127.0.0.1:18070</a> – parent<br></div><div><br></div><div>As you can see it uses connection to parent for this request (reusing pconn local=<a href="http://127.0.0.1:44120" target="_blank">127.0.0.1:44120</a> remote=<a href="http://127.0.0.1:18070" target="_blank">127.0.0.1:18070</a> FD 16 flags=1) which is probably a bug.</div><div><div><br></div><div><div>2016/12/29 15:57:41.121| 17,3| FwdState.cc(332) Start: '<a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a>'</div><div>2016/12/29 15:57:41.121| 17,2| FwdState.cc(133) FwdState: Forwarding client request , url=<a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a></div><div>2016/12/29 15:57:41.121| 17,3| FwdState.cc(387) startConnectionOrFail: <a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a></div><div>2016/12/29 15:57:41.121| 17,3| FwdState.cc(806) connectStart: fwdConnectStart: <a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a></div><div>2016/12/29 15:57:41.121| 17,3| FwdState.cc(875) connectStart: reusing pconn local=<a href="http://127.0.0.1:44120" target="_blank">127.0.0.1:44120</a> remote=<a href="http://127.0.0.1:18070" target="_blank">127.0.0.1:18070</a> FD 16 flags=1</div><div>2016/12/29 15:57:41.121| 17,3| FwdState.cc(908) dispatch: : Fetching GET <a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a></div><div>2016/12/29 15:57:41.124| 17,3| FwdState.cc(447) unregister: <a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a></div><div>2016/12/29 15:57:41.124| 17,2| FwdState.cc(655) handleUnregisteredServerEnd: self=0x1450738*2 err=0 <a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a></div></div><div><br></div></div><div>And peer_select logs:</div><div><br></div><div><div><div>2016/12/29 16:12:41.843| 44,3| peer_select.cc(137) peerSelect: e:=IWV/0x148bae0*2 <a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a></div><div>2016/12/29 16:12:41.843| 44,3| peer_select.cc(441) peerSelectFoo: GET 172.22.8.145</div><div>2016/12/29 16:12:41.843| 44,3| peer_select.cc(446) peerSelectFoo: peerSelectFoo: direct = DIRECT_UNKNOWN (always_direct to be checked)</div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(194) peerCheckAlwaysDirectDone: peerCheckAlwaysDirectDone: DENIED</div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(441) peerSelectFoo: GET 172.22.8.145</div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(454) peerSelectFoo: peerSelectFoo: direct = DIRECT_UNKNOWN (never_direct to be checked)</div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(171) peerCheckNeverDirectDone: peerCheckNeverDirectDone: ALLOWED</div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(177) peerCheckNeverDirectDone: direct = DIRECT_NO (never_direct allow)</div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(441) peerSelectFoo: GET 172.22.8.145</div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(110) peerSelectIcpPing: peerSelectIcpPing: <a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a></div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(121) peerSelectIcpPing: peerSelectIcpPing: counted 0 neighbors</div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(685) peerGetSomeParent: GET 172.22.8.145</div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(709) peerGetSomeParent: peerSelect: FIRSTUP_PARENT/<a href="http://127.0.0.1" target="_blank">127.0.0.1</a></div><div>2016/12/29 16:12:41.844| 44,5| peer_select.cc(938) peerAddFwdServer: peerAddFwdServer: adding 127.0.0.1 FIRSTUP_PARENT</div><div>2016/12/29 16:12:41.844| 44,5| peer_select.cc(938) peerAddFwdServer: peerAddFwdServer: adding 127.0.0.1 ANY_OLD_PARENT</div><div>2016/12/29 16:12:41.844| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: <a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a>' via 127.0.0.1</div><div>2016/12/29 16:12:41.844| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: <a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a>' via 127.0.0.1</div><div>2016/12/29 16:12:41.844| 44,2| peer_select.cc(280) peerSelectDnsPaths: Found sources for '<a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a>'</div><div>2016/12/29 16:12:41.844| 44,2| peer_select.cc(281) peerSelectDnsPaths:   always_direct = DENIED</div><div>2016/12/29 16:12:41.844| 44,2| peer_select.cc(282) peerSelectDnsPaths:    never_direct = ALLOWED</div><div>2016/12/29 16:12:41.844| 44,2| peer_select.cc(292) peerSelectDnsPaths:      cache_peer = local=0.0.0.0 remote=<a href="http://127.0.0.1:18070" target="_blank">127.0.0.1:18070</a> flags=1</div><div>2016/12/29 16:12:41.844| 44,2| peer_select.cc(292) peerSelectDnsPaths:      cache_peer = local=0.0.0.0 remote=<a href="http://127.0.0.1:18070" target="_blank">127.0.0.1:18070</a> flags=1</div><div>2016/12/29 16:12:41.844| 44,2| peer_select.cc(295) peerSelectDnsPaths:        timedout = 0</div><div>2016/12/29 16:12:41.844| 44,3| peer_select.cc(79) ~ps_state: <a href="http://172.22.8.145:3128/squid-internal-periodic/store_digest" target="_blank">http://172.22.8.145:3128/<wbr>squid-internal-periodic/store_<wbr>digest</a></div></div></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 29, 2016 at 2:21 PM, Ivan Larionov <span dir="ltr"><<a href="mailto:xeron.oskom@gmail.com" target="_blank">xeron.oskom@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thank you for helping.<div><br></div><div>After some experiments and tcpdumping it looks like it's not sibling sending request to the parent, but original squid!</div><div><br></div><div>So instead of asking sibling about his digests squid asks parent.</div><div><br></div><div>And your trick with urlpath_regex didn't help. I even tried:</div><div><br></div><div><div>acl internal_digest urlpath_regex +i /.*store_digest.*/</div><div>always_direct allow internal_digest</div><div>never_direct deny internal_digest</div></div><div><br></div><div>but no luck. It still asks parent.</div><div><br></div></div><div class="gmail_extra"><div><div class="m_-4112677506992719227h5"><br><div class="gmail_quote">On Thu, Dec 29, 2016 at 1:00 AM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 2016-12-29 20:51, Ivan Larionov wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
I'm sure about forwarding because I see requests to<br>
</span><a href="http://172.22.15.88:3128/squid-internal-periodic/store_digest" rel="noreferrer" target="_blank">http://172.22.15.88:3128/squid<wbr>-internal-periodic/store_diges<wbr>t</a> [1] in<span><br>
parent logs and my parent returns 502 because we do not allow requests<br>
to internal IPs. Logs from the parent:<br>
<br>
Got request: GET<br>
<a href="http://172.22.15.88:3128/squid-internal-periodic/store_digest" rel="noreferrer" target="_blank">http://172.22.15.88:3128/squid<wbr>-internal-periodic/store_diges<wbr>t</a><br>
Not allowing blacklisted IP 172.22.15.88<br>
GET <a href="http://172.22.15.88:3128/squid-internal-periodic/store_digest" rel="noreferrer" target="_blank">http://172.22.15.88:3128/squid<wbr>-internal-periodic/store_diges<wbr>t</a> 502<br>
0ms<br>
<br>
I do not have "global_internal_static off" in my config and also I'm<br>
able to get<br>
</span><a href="http://172.22.15.88:3128/squid-internal-periodic/store_digest" rel="noreferrer" target="_blank">http://172.22.15.88:3128/squid<wbr>-internal-periodic/store_diges<wbr>t</a> [1]<span><br>
using curl or telnet (with telnet I do "GET<br>
/squid-internal-periodic/store<wbr>_digest" – note relative URL).<br>
</span></blockquote>
<br>
Okay, thats good.<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
However according to debug logs squid does this request using absolute<br>
URL which probably works if target sibling can do direct requests (so<br>
it will request itself for digest and return response to original<br>
squid). But I do have "never_direct allow all" which probably makes<br>
sibling to forward such request to a parent.<br>
</blockquote>
<br></span>
Hmm, I think you might be right about that.<br>
You can test it by adding:<br>
<br>
 acl foo urlpath_regex +i /squid.internal.digest/<br>
 never_direct deny foo<span><br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
If my theory about absolute vs relative URL is correct then I believe<br>
original squid should make store_digest request using relative URL<br>
(like I can do with telnet) so sibling squid will return response<br>
right away w/o asking itself for result.<br>
</blockquote>
<br></span>
Whats happening with the URL is that the sending peer generates it from the cache_peer IP/host name and port.<br>
<br>
The receiving peer checks the pathstarts with "/squid-internal-" and that the hostname portion matches its own visible_hostname or unique_hostname. If those match its marked for special handling as an internal request, otherwise global_internal_static is used to determine if the hostname not matching is ignored and it gets marked anyway.<br>
<br>
Since the digest needs to be targeted at the specific peer and not anything which may inject itself in between them the hostname does need to be sent. The relative URLs are for things that don't vary between proxies, like the Squid icons.<br>
<br>
If you configure cache_peer with the hostname of the receiving peer instead of its raw-IP the requests should be sent with that hostname instead of raw-IP.<br>
<br>
<br>
<br>
The config looks okay. Thanks for that.<span class="m_-4112677506992719227m_-4688151108210197636HOEnZb"><font color="#888888"><br>
<br>
Amos<br>
<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div></div></div><span>-- <br><div class="m_-4112677506992719227m_-4688151108210197636gmail_signature" data-smartmail="gmail_signature">With best regards, Ivan Larionov.</div>
</span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-4112677506992719227gmail_signature" data-smartmail="gmail_signature">With best regards, Ivan Larionov.</div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">With best regards, Ivan Larionov.</div>
</div>