[squid-users] Parent Proxy and direct traffic

squid3 at treenet.co.nz squid3 at treenet.co.nz
Tue Jul 27 11:38:23 UTC 2021 

On 2021-07-26 23:05, jens.altrock wrote:
> Hi!
> 
> I got a little Problem:
> 
> We have a proxy server that should route special requests to a parent
> proxy and forward the rest tot he standard gateway. I haven't found
> any suitable and working configurations, so I'm asking ehre for help.

You appear to not understand some of the directives correctly.

As a result your config currently forces Squid to ignore all cache_peer 
lines.



> My configuration so far:
> 


> 
> _acl alwayspeer dstdomain EXAMPLE.COM:777_
> 

":777" is not part of any domain name.

This ACL can never produce a match result.

To check two different properties (domain and port) you need two 
different ACLs.

For example;
  acl example dstdomain example.com
  acl port777 port 777

  cache_peer_access PARENT_PROXY_SRV allow example port777
  never_direct allow example port777


> 
> _cache deny all_
> 
> _cache_peer PARENT_PROXY_SRV parent 8080 7 proxy-only no-query_
> 
> _cache_peer_access PARENT_PROXY_SRV allow alwayspeer_
> 

Since "alwayspeer" is always false this line means the default for 
traffic going to this peer is "deny all".

With the ACL adjustments from above this would be:

  cache_peer_access PARENT_PROXY_SRV allow example port777


> 
> _#http_access deny !Safe_ports_
> 
> _#http_access deny CONNECT !SSL_ports_
> 

Please restore those rules. They are protecting your proxy against being 
abused as a relay for DoS attacks against your network. They have 
nothing to do with routing of valid HTTP messages.


> 
> _http_access allow localhost manager_
> 

> _http_access allow all Safe_ports_
> 
> _http_access allow all SSL_ports_
> 

Remove those two lines **urgently**.


> _never_direct deny alwayspeer_
> 
> _always_direct allow all_
> 

 From the actions chosen I see you misunderstand these two directives.

"DIRECT" means using DNS (or equivalent) to locate and connect to origin 
server(s) from the URL domain name.

always_direct has precedence. So "allow all" means servers will *always* 
be found using URL domain and DNS instead of your config file and 
cache_peer lines.

   -> you need to remove the always_direct line.

never_direct means the URL domain / DNS lookup mechanism is *never* 
used. Only cache_peer have any possibility, and only when 
cache_peer_access rules also say allow.

   -> the 'action' field needs to be "allow" in order to force cache_peer 
to be used.

In both of these directives "deny" is simply a way to stop processing 
the directive lines before any more checks happen. eg, a way to put 
"except" or "unless" clauses into the logic.



> 
> _http_access deny all_
> 

No http_access rules placed below this will be checked. You should 
remove this line.

FYI; the whole point of include directive on the next line is so you can 
put your custom cache_peer and related rules into a file in there and 
not worry about the OS Squid package fiddling with it.

> 
> _include /etc/squid/conf.d/*_
> 
> _http_access allow localhost_
> 
> _http_access deny all_
> 


> 
> Problem ist hat direct traffic is working, but he doesn't redirect
> EXAMPLE.COM:777 to the correct Proxy server.
> 
> In the access.log I only see:
> 
> 1627297417.299  31535 CLIENT_IP NONE/503 0 CONNECT EXAMPLE.COM:777 -
> HIER_NONE/- -
> 


Amos

More information about the squid-users mailing list