[squid-users] Cache peer help

Alejandro Delgado Moreno alex.delgado at crg.eu
Thu Jun 8 07:51:03 UTC 2017


Hi Amos,

Here is the squid.conf file:

acl localnet src 172.16.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


acl journals dstdomain "/etc/squid/UPF_LIST.txt"

cache_peer proxy-inst.upf.edu parent 9090 0 no-query no-digest default

cache_peer_access proxy-inst.upf.edu allow journals
always_direct allow journals


# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8881

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


And this is an extract of the log:

[Thu Jun  8 09:47:15 2017].269     57 172.18.2.45 TCP_MISS/200 874 POST http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 application/ocsp-response
[Thu Jun  8 09:47:16 2017].128     57 172.18.2.45 TCP_MISS/200 874 POST http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 application/ocsp-response
[Thu Jun  8 09:47:16 2017].331     56 172.18.2.45 TCP_MISS/200 874 POST http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 application/ocsp-response
[Thu Jun  8 09:47:20 2017].258    111 172.18.2.45 TCP_MISS/200 967 POST http://ocsp.usertrust.com/ - HIER_DIRECT/178.255.83.1 application/ocsp-response
[Thu Jun  8 09:47:21 2017].250     56 172.18.2.45 TCP_MISS/200 874 POST http://clients1.google.com/ocsp - HIER_DIRECT/216.58.204.142 application/ocsp-response
[Thu Jun  8 09:47:21 2017].459     47 172.18.2.45 TCP_MISS/200 924 POST http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun  8 09:47:23 2017].744    185 172.18.2.45 TCP_MISS/302 615 GET http://wos.fecyt.es/ - HIER_DIRECT/185.79.129.106 text/html
[Thu Jun  8 09:47:24 2017].005    104 172.18.2.45 TCP_MISS/200 2067 POST http://ss.symcd.com/ - HIER_DIRECT/23.37.171.27 application/ocsp-response
[Thu Jun  8 09:47:25 2017].902   5105 172.18.2.45 TCP_TUNNEL/200 5792 CONNECT www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:27 2017].980     65 172.18.2.45 TCP_MISS/200 924 POST http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun  8 09:47:28 2017].394    211 172.18.2.45 TCP_MISS/200 488 GET http://detectportal.firefox.com/success.txt - HIER_DIRECT/88.221.254.202 text/plain
[Thu Jun  8 09:47:28 2017].786     46 172.18.2.45 TCP_MISS/200 924 POST http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Thu Jun  8 09:47:28 2017].809   8785 172.18.2.45 TCP_TUNNEL/200 54093 CONNECT www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].120   5106 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].144   5130 172.18.2.45 TCP_TUNNEL/200 332 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].147   5133 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Thu Jun  8 09:47:30 2017].374   6567 172.18.2.45 TCP_TUNNEL/200 108115 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -

As you can see, always is going direct, but when going to idp.fecyt.es should be going through the peer, as the file UPF_LIST.txt has:

https://idp.fecyt.es
https://idp.fecyt.es/
https://idp.fecyt.es/*
 
among other lines.

Regards,

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: martes, 6 de junio de 2017 18:18
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Cache peer help

On 07/06/17 02:24, Alejandro Delgado Moreno wrote:
> Sorry for this mistake,
>
> It's:
>
> acl journals dstdomain "/etc/squid/xx_LIST.txt"
>
>   cache_peer xxx.xxx.xxx.xxx parent 9090 0 no-query no-digest default
>
>   cache_peer_access xxx.xxx.xxx.xxx allow journals
>
> and it's the same, in both lines.

Okay then the issue is something else, those lines in isolation are correct for allowing traffic to use that peer, but there are many other things that may make other routes either required or preferred.

So what is the rest of your squid.conf and can you provide a sample of the access.log for the traffic going wrong?

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list