[squid-users] squid sibling peers and digest requests

Amos Jeffries squid3 at treenet.co.nz
Thu Dec 29 09:00:59 UTC 2016 

On 2016-12-29 20:51, Ivan Larionov wrote:
> I'm sure about forwarding because I see requests to
> http://172.22.15.88:3128/squid-internal-periodic/store_digest [1] in
> parent logs and my parent returns 502 because we do not allow requests
> to internal IPs. Logs from the parent:
> 
> Got request: GET
> http://172.22.15.88:3128/squid-internal-periodic/store_digest
> Not allowing blacklisted IP 172.22.15.88
> GET http://172.22.15.88:3128/squid-internal-periodic/store_digest 502
> 0ms
> 
> I do not have "global_internal_static off" in my config and also I'm
> able to get
> http://172.22.15.88:3128/squid-internal-periodic/store_digest [1]
> using curl or telnet (with telnet I do "GET
> /squid-internal-periodic/store_digest" – note relative URL).

Okay, thats good.

> 
> However according to debug logs squid does this request using absolute
> URL which probably works if target sibling can do direct requests (so
> it will request itself for digest and return response to original
> squid). But I do have "never_direct allow all" which probably makes
> sibling to forward such request to a parent.

Hmm, I think you might be right about that.
You can test it by adding:

  acl foo urlpath_regex +i /squid.internal.digest/
  never_direct deny foo


> 
> If my theory about absolute vs relative URL is correct then I believe
> original squid should make store_digest request using relative URL
> (like I can do with telnet) so sibling squid will return response
> right away w/o asking itself for result.

Whats happening with the URL is that the sending peer generates it from 
the cache_peer IP/host name and port.

The receiving peer checks the pathstarts with "/squid-internal-" and 
that the hostname portion matches its own visible_hostname or 
unique_hostname. If those match its marked for special handling as an 
internal request, otherwise global_internal_static is used to determine 
if the hostname not matching is ignored and it gets marked anyway.

Since the digest needs to be targeted at the specific peer and not 
anything which may inject itself in between them the hostname does need 
to be sent. The relative URLs are for things that don't vary between 
proxies, like the Squid icons.

If you configure cache_peer with the hostname of the receiving peer 
instead of its raw-IP the requests should be sent with that hostname 
instead of raw-IP.



The config looks okay. Thanks for that.

Amos

More information about the squid-users mailing list