[squid-users] Cache peer help

Alejandro Delgado Moreno alex.delgado at crg.eu
Tue Jun 13 11:30:10 UTC 2017 

Hi Amos, 

I've applied your suggestions, but still every request is sent directly, bypassing the peer proxy for sites specified on file UPF_List.txt:

[Tue Jun 13 13:25:58 2017].905    111 172.18.2.45 TCP_MISS/200 968 POST http://ocsp.usertrust.com/ - HIER_DIRECT/178.255.83.1 application/ocsp-response
[Tue Jun 13 13:26:00 2017].173     56 172.18.2.45 TCP_MISS/200 874 POST http://clients1.google.com/ocsp - HIER_DIRECT/216.58.208.238 application/ocsp-response
[Tue Jun 13 13:26:00 2017].283     47 172.18.2.45 TCP_MISS/200 924 POST http://ocsp.digicert.com/ - HIER_DIRECT/93.184.220.29 application/ocsp-response
[Tue Jun 13 13:26:00 2017].618    211 172.18.2.45 TCP_TUNNEL/200 5147 CONNECT www.facebook.com:443 - HIER_DIRECT/31.13.90.36 -
[Tue Jun 13 13:26:01 2017].691  65863 172.18.2.43 TCP_TUNNEL/200 4946 CONNECT d.dropbox.com:443 - HIER_DIRECT/162.125.32.5 -
[Tue Jun 13 13:26:03 2017].821     68 172.18.2.45 TCP_MISS/302 615 GET http://wos.fecyt.es/ - HIER_DIRECT/185.79.129.106 text/html
[Tue Jun 13 13:26:04 2017].014     29 172.18.2.45 TCP_MISS/200 2068 POST http://ss.symcd.com/ - HIER_DIRECT/23.37.171.27 application/ocsp-response
[Tue Jun 13 13:26:05 2017].151   5079 172.18.2.45 TCP_TUNNEL/200 404 CONNECT www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Tue Jun 13 13:26:05 2017].239   5163 172.18.2.45 TCP_TUNNEL/200 404 CONNECT www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Tue Jun 13 13:26:08 2017].878  10313 172.18.2.45 TCP_TUNNEL/200 54835 CONNECT www.recursoscientificos.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Tue Jun 13 13:26:10 2017].281   5202 172.18.2.45 TCP_TUNNEL/200 526 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Tue Jun 13 13:26:10 2017].365   5107 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Tue Jun 13 13:26:10 2017].372  10219 172.18.2.45 TCP_TUNNEL/200 38460 CONNECT platform.twitter.com:443 - HIER_DIRECT/199.96.57.6 -
[Tue Jun 13 13:26:10 2017].391   5135 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
[Tue Jun 13 13:26:10 2017].454   6580 172.18.2.45 TCP_TUNNEL/200 106738 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -

This is the squid.conf file settings:

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
#acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl localnet src 172.17.0.0/16
acl localnet src 172.18.0.0/16
acl localnet src 172.16.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

acl journals dstdomain "/etc/squid/UPF_LIST.txt"

cache_peer proxy-inst.upf.edu parent 9090 0 no-query  no-digest default
cache_peer_access proxy-inst.upf.edu allow journals
#originserver name=proxyupf
# dstdomain "/etc/squid/UPF_LIST.txt"
#cache_peer_access server_upf allow upf
#cache_peer_access proxyupf allow upf
#cache_peer_access proxyupf deny all
nonhierarchical_direct off
#never_direct deny upf
never_direct allow journals

#never_direct allow upf

#never_direct deny !upf
#never_direct allow all
#cache_peer_access allow upf
#cache_peer_access deny all

#never_direct allow !upf
#never_direct deny all
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow journals
#cache_peer_access proxyupf allow upf
#cache_peer_access proxyupf deny all
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 3128
http_port 8881

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

Any other suggestions? Do you need the contents of UPF_LIST.txt?

Regards,

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: jueves, 8 de junio de 2017 12:55
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Cache peer help

On 08/06/17 19:51, Alejandro Delgado Moreno wrote:
> Hi Amos,
>
> Here is the squid.conf file:
>
> acl localnet src 172.16.0.0/16
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
>
> acl journals dstdomain "/etc/squid/UPF_LIST.txt"
>
> cache_peer proxy-inst.upf.edu parent 9090 0 no-query no-digest default
>
> cache_peer_access proxy-inst.upf.edu allow journals always_direct 
> allow journals

There you go. Problem #1:  "always_direct allow" prohibits any cache_peer being used by that request (by requiring that DIRECT be used, mandatory). Remove that and some of the journal traffic will start going to the peer.

> And this is an extract of the log:
>
> [Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
> [Thu Jun  8 09:47:30 2017].094   5079 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
> [Thu Jun  8 09:47:30 2017].120   5106 172.18.2.45 TCP_TUNNEL/200 331 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
> [Thu Jun  8 09:47:30 2017].144   5130 172.18.2.45 TCP_TUNNEL/200 332 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
> [Thu Jun  8 09:47:30 2017].147   5133 172.18.2.45 TCP_TUNNEL/200 333 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -
> [Thu Jun  8 09:47:30 2017].374   6567 172.18.2.45 TCP_TUNNEL/200 108115 CONNECT idp.fecyt.es:443 - HIER_DIRECT/185.79.129.106 -

CONNECT and a few other things are normally sent DIRECT because that is way faster than doing another hop.

To make those prefer going through the peer add this line:

   nonhierarchical_direct off

And if that is not enough, you can add "never_direct allow journals" to forbid DIRECT being used. They will then fail completely if the peer is not used for any reason.


> As you can see, always is going direct, but when going to idp.fecyt.es should be going through the peer, as the file UPF_LIST.txt has:
>
> https://idp.fecyt.es
> https://idp.fecyt.es/
> https://idp.fecyt.es/*

Your squid.conf said these were being loaded into a dstdomain ACL. But the above lines are URLs, not domain names.

dstdomain syntax is a domain name with maybe a wildcard to match all sub-domains. see <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains>


HTH
Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list