[squid-users] Cache peer help

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 8 10:55:00 UTC 2017 

On 08/06/17 19:51, Alejandro Delgado Moreno wrote:
> Hi Amos,
>
> Here is the squid.conf file:
>
> acl localnet src 172.16.0.0/16
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
>
> acl journals dstdomain "/etc/squid/UPF_LIST.txt"
>
> cache_peer proxy-inst.upf.edu parent 9090 0 no-query no-digest default
>
> cache_peer_access proxy-inst.upf.edu allow journals
> always_direct allow journals

There you go. Problem #1:  "always_direct allow" prohibits any 
cache_peer being used by that request (by requiring that DIRECT be used, 
mandatory). Remove that and some of the journal traffic will start going 
to the peer.

> And this is an extract of the log:
>
> [Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
> [Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
> [Thu Jun  8 09:47:30 2017].120   5106 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
> [Thu Jun  8 09:47:30 2017].144   5130 172.18.2.45 TCP_TUNNEL/200 332 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
> [Thu Jun  8 09:47:30 2017].147   5133 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
> [Thu Jun  8 09:47:30 2017].374   6567 172.18.2.45 TCP_TUNNEL/200 108115 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -

CONNECT and a few other things are normally sent DIRECT because that is 
way faster than doing another hop.

To make those prefer going through the peer add this line:

   nonhierarchical_direct off

And if that is not enough, you can add "never_direct allow journals" to 
forbid DIRECT being used. They will then fail completely if the peer is 
not used for any reason.


> As you can see, always is going direct, but when going to idp.fecyt.es should be going through the peer, as the file UPF_LIST.txt has:
>
> https://idp.fecyt.es
> https://idp.fecyt.es/
> https://idp.fecyt.es/*

Your squid.conf said these were being loaded into a dstdomain ACL. But 
the above lines are URLs, not domain names.

dstdomain syntax is a domain name with maybe a wildcard to match all 
sub-domains. see 
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains>


HTH
Amos

More information about the squid-users mailing list