[squid-users] Cache peer help
Alejandro Delgado Moreno
alex.delgado at crg.eu
Thu Jun 8 07:51:03 UTC 2017
Hi Amos,
Here is the squid.conf file:
acl localnet src 172.16.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl journals dstdomain "/etc/squid/UPF_LIST.txt"
cache_peer proxy-inst.upf.edu parent 9090 0 no-query no-digest default
cache_peer_access proxy-inst.upf.edu allow journals
always_direct allow journals
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 8881
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
And this is an extract of the log:
[Thu Jun 8 09:47:15 2017].269 57 172.18.2.45 TCP_MISS/200 874 POST http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 application/ocsp-response
[Thu Jun 8 09:47:16 2017].128 57 172.18.2.45 TCP_MISS/200 874 POST http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 application/ocsp-response
[Thu Jun 8 09:47:16 2017].331 56 172.18.2.45 TCP_MISS/200 874 POST http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 application/ocsp-response
[Thu Jun 8 09:47:20 2017].258 111 172.18.2.45 TCP_MISS/200 967 POST http://ocsp.usertrust.com/ - HIER_DIRECT/178.255.83.1 application/ocsp-response
[Thu Jun 8 09:47:21 2017].250 56 172.18.2.45 TCP_MISS/200 874 POST http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 application/ocsp-response
[Thu Jun 8 09:47:21 2017].459 47 172.18.2.45 TCP_MISS/200 924 POST http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun 8 09:47:23 2017].744 185 172.18.2.45 TCP_MISS/302 615 GET http://wos.fecyt.es/ - HIER_DIRECT/185.79.129.106 text/html
[Thu Jun 8 09:47:24 2017].005 104 172.18.2.45 TCP_MISS/200 2067 POST http://ss.symcd.com/ - HIER_DIRECT/23.37.171.27 application/ocsp-response
[Thu Jun 8 09:47:25 2017].902 5105 172.18.2.45 TCP_TUNNEL/200 5792 CONNECT www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:27 2017].980 65 172.18.2.45 TCP_MISS/200 924 POST http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun 8 09:47:28 2017].394 211 172.18.2.45 TCP_MISS/200 488 GET http://detectportal.firefox.com/success.txt - HIER_DIRECT/88.221.254.202 text/plain
[Thu Jun 8 09:47:28 2017].786 46 172.18.2.45 TCP_MISS/200 924 POST http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun 8 09:47:28 2017].809 8785 172.18.2.45 TCP_TUNNEL/200 54093 CONNECT www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].094 5079 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].094 5079 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].120 5106 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].144 5130 172.18.2.45 TCP_TUNNEL/200 332 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].147 5133 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun 8 09:47:30 2017].374 6567 172.18.2.45 TCP_TUNNEL/200 108115 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
As you can see, always is going direct, but when going to idp.fecyt.es should be going through the peer, as the file UPF_LIST.txt has:
https://idp.fecyt.es
https://idp.fecyt.es/
https://idp.fecyt.es/*
among other lines.
Regards,
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: martes, 6 de junio de 2017 18:18
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Cache peer help
On 07/06/17 02:24, Alejandro Delgado Moreno wrote:
> Sorry for this mistake,
>
> It's:
>
> acl journals dstdomain "/etc/squid/xx_LIST.txt"
>
> cache_peer xxx.xxx.xxx.xxx parent 9090 0 no-query no-digest default
>
> cache_peer_access xxx.xxx.xxx.xxx allow journals
>
> and it's the same, in both lines.
Okay then the issue is something else, those lines in isolation are correct for allowing traffic to use that peer, but there are many other things that may make other routes either required or preferred.
So what is the rest of your squid.conf and can you provide a sample of the access.log for the traffic going wrong?
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list