[squid-users] Squid does not send request to parent proxy

Troiano Alessio alessio.troiano at leonardocompany.com
Thu Jan 17 15:28:28 UTC 2019


Hello all,
I'm not able to configure squid for using a parent proxy only for some domain. All the rest should be fetched directly. I tried this configuration:
cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
acl domainAT dstdomain voeazul.com.br
cache_peer_access HUBATLDB allow domainAT
never_direct allow domainAT

But the site www.voeazul.com.br is fetched direct. This is the access log:
%SQUID-4: 172.31.0.82 59719 [17/Jan/2019:22:55:36 +0800] "CONNECT www.voeazul.com.br:443 HTTP/1.1" www.voeazul.com.br - - "-" 200 - 816 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" TCP_TUNNEL:HIER_DIRECT 23.77.9.57 443 53176

Can you help me?

Following the full conf:

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl localnet src 192.168.0.0/16# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SOC_NET src 172.31.0.0/24# SOC Network
acl SMD src 10.30.0.47/32    # SMD Proxy
acl Proxy_HK src 172.31.2.64/27    # Proxy Hong Kong Network
ignore_expect_100 on
acl nocachesite dstdomain /etc/squid/nocachesite.acl

acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 2096         # INC000000012740
acl SSL_ports port 9091
acl SSL_ports port 9444         # INC000000013855
acl SSL_ports port 6082
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT

forwarded_for delete
tcp_outgoing_address 172.31.2.71 SMD

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager SOC_NET
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user

cache_peer 172.31.3.70 parent 8080 0 no-query default name=HUBATLDB
acl domainAT dstdomain voeazul.com.br
cache_peer_access HUBATLDB allow domainAT
never_direct allow domainAT

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

acl PURGE method PURGE
http_access allow PURGE localhost
http_access deny PURGE

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 0.0.0.0:8080

# We recommend you to use at least the following line.
# migrated automatically by squid-migrate-conf, the original configuration was: hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
cache_effective_user squid
cache_effective_group squid
cache_dir diskd /home/squid 400000 64 512
cache_mem 4 GB
maximum_object_size_in_memory 2 MB
minimum_object_size 0 KB
maximum_object_size 100 MB
cache_swap_low 96
cache_swap_high 97
memory_replacement_policy lru
cache_replacement_policy heap LFUDA
cache deny nocachesite
cache allow all
max_filedesc 8192

# Leave coredumps in the first cache dir
coredump_dir /home/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320

cache_mgr xxx at xxx.com

### BEGIN LOG FOR SIEM ###

#logformat siem  %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %<a %>p
#access_log /var/log/squid/access.log siem
logformat custom_squid %%SQUID-4: %>a %>p [%tl] "%rm %ru HTTP/%rv" %<A %ui %un "%rp" %Hs %mt %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh %<a %<p %<lp
access_log /var/log/squid/rsa/access.log custom_squid

### END LOG FOR SIEM ###
dns_v4_first on
log_icp_queries off
via off

Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender


More information about the squid-users mailing list