[squid-users] Squid proxy not working when upgrade from 27 to 3.5

Amos Jeffries squid3 at treenet.co.nz
Fri Oct 26 09:25:57 UTC 2018 

On 26/10/18 8:26 PM, Angus J. wrote:
> What's wrong of my squid.conf from 27 to 3.5? 
> The port 3128 issue has been fixed
> 

Yes that one is fixed. Now it is complaining about what you changed in
cache_peer lines.


>
> oul163:/etc/squid # squid -k parse...> 2018/10/26 10:14:14|
Processing: cache_peer 192.168.31.134 parent 8005 0 ssl
> sslflags=DONT_VERIFY_PEER proxy-only name=uathrms
> ssloptions=NO_SSLv3:NO_SSLv2
> 2018/10/26 10:14:14| Processing: cache_peer_domain uathrms
> uathrms.ouhk.edu.hk

> 2018/10/26 10:14:14| Processing: cache_peer_access prdhrms allow
hrmsacl> 2018/10/26 10:14:14| /etc/squid/squid.conf, line 154: No cache_peer
> 'prdhrms'
> 2018/10/26 10:14:14| Processing: cache_peer_access uathrms allow hrmsacl
> 2018/10/26 10:14:14| Processing: cache_peer_access sithrms allow hrmsacl
> 2018/10/26 10:14:14| /etc/squid/squid.conf, line 156: No cache_peer
> 'sithrms'

> 2018/10/26 10:14:14| Processing: cache_peer_access devhrms allow hrmsacl
> 2018/10/26 10:14:14| /etc/squid/squid.conf, line 157: No cache_peer
> 'devhrms'


>From the config:

> 
> # the proxy-only indicates that caching will not be performed.
> #cache_peer 192.168.31.113 parent 8001 0 proxy-only name=prdhrms
> #cache_peer_domain prdhrms prdhrms.ouhk.edu.hk
> cache_peer 192.168.31.134 parent 8005 0 ssl sslflags=DONT_VERIFY_PEER
> proxy-only name=uathrms ssloptions=NO_SSLv3:NO_SSLv2
> #cache_peer 192.168.31.134 parent 8005 0 ssl sslflags=DONT_VERIFY_DOMAIN
> proxy-only name=uathrms ssloptions=NO_SSLv3:NO_SSLv2
> cache_peer_domain uathrms uathrms.ouhk.edu.hk
> #cache_peer 192.168.31.134 parent 8004 0 ssl sslflags=DONT_VERIFY_PEER
> proxy-only name=sithrms ssloptions=NO_SSLv3:NO_SSLv2
> #cache_peer_domain sithrms sithrms.ouhk.edu.hk
> #cache_peer 192.168.31.134 parent 8000 0 ssl sslflags=DONT_VERIFY_PEER
> proxy-only name=devhrms ssloptions=NO_SSLv3:NO_SSLv2
> #cache_peer 192.168.31.134 parent 8000 0 proxy-only originserver
> name=devhrms ssll sslcafile=/certs/star_ouhk_edu_hk.crt
> #cache_peer_domain devhrms devhrms.ouhk.edu.hk
> 


You commented out the cache_peer lines defining those peer connections
and Squid does not know what to peer the cache_peer_access definitions
are mentioning.

The only thing that needed removing/replacing was the
"cache_peer_domain" lines.

>From the config:

> # Create an additional ACL for local network access
> acl localip src 192.168.0.0/24
> 
> # access control list
> acl hrmsacl dstdomain .ouhk.edu.hk
> http_access allow hrmsacl
> #acl hrmsacl2 dstdomain devhrms.ouhk.edu.hk
> #cache_peer_access devhrms allow hrmsacl2
> cache_peer_access prdhrms allow hrmsacl
> cache_peer_access uathrms allow hrmsacl
> cache_peer_access sithrms allow hrmsacl
> cache_peer_access devhrms allow hrmsacl
> #cache_peer_access secure allow SSL_ports
> 

FYI: These rules are far more lenient than what you had before with
cache_peer_domain.

The previous config let *only* certain domains to each individual peer.
These rules now allows *any* sub-domain to any peer.

I suggest keeping to the minimal change until you are happy with the new
proxy behaviour. The exact equivalent of these lines:

  cache_peer 192.168.31.113 parent 8001 0 proxy-only name=prdhrms
  cache_peer_domain prdhrms prdhrms.hkbb.edu.hk

  cache_peer 192.168.31.134 parent 8005 ... name=uathrms
  cache_peer_domain uathrms uathrms.hkbb.edu.hk

  cache_peer 192.168.31.134 parent 8004 ... name=sithrms
  cache_peer_domain sithrms sithrms.hkbb.edu.hk

  cache_peer 192.168.31.134 parent 8000 ... name=devhrms
  cache_peer_domain devhrms devhrms.hkbb.edu.hk


Are these lines:

  cache_peer 192.168.31.113 parent 8001 0 proxy-only name=prdhrms
  acl prdhrms-domain dstdomain prdhrms.hkbb.edu.hk
  cache_peer_access prdhrms allow prdhrms-domain

  cache_peer 192.168.31.134 parent 8005 ... name=uathrms
  acl uathrms-domain dstdomain uathrms.hkbb.edu.hk
  cache_peer_access uathrms allow uathrms-domain

  cache_peer 192.168.31.134 parent 8004 ... name=sithrms
  acl sithrms-domain dstdomain sithrms.hkbb.edu.hk
  cache_peer_access sithrms allow sithrms-domain

  cache_peer 192.168.31.134 parent 8000 ... name=devhrms
  acl devhrms-domain dstdomain devhrms.hkbb.edu.hk
  cache_peer_access devhrms allow devhrms-domain



Note that use of the exact sub-domain names remains in place rather than
opening everything to the wildcards midway during a proxy upgrade.

Amos

More information about the squid-users mailing list