Re: Questionaire 'bout cache_peer_access

Masataka_Tanaka wrote:

> Before : http_access allow net5
> After : http_access deny net5 !all

If you already had net5 in http_access processing, then you do not need
to add it again. The statement I provided is a null statement which
neither denies or allows the request. The whole purpose of that null
statement is to have net5 dereferenced, to allow Squid to populate it's
internal DNS cache prior to cache_peer_access processing.

> As there was no discription about never_direct contained in
> squid.conf, I added next description in order to force proxy
> referring for net5. But it didn't work.
>
> never_direct allow net5

?? There is lots of description on never_direct in squid.conf, but there
is no default setting (the build in default is "deny all"). Are you
confusing the words description (which is text explaining the function)
and value?

never_direct should be used when Squid can't go direct for a request,
for example if you have a proxy based firewall you must use to reach the
object.

How did it not work?

> --> I wonder HOW can we make use of cache_peer_domain
> and cache_peer_access parrallelly ??

If you use both, then both must match or Squid won't select that peer
for the request.

> cache_peer_domain proxyA.tanaka.co.jp !.dom1.tanaka.co.jp
> cache_peer_domain proxyB.tanaka.co.jp .dom1.tanaka.co.jp

Denies Squid to use proxyA for .dom1.tanaka.co.jp and denies it to use
proxyB for any other domain.

> acl net5 dst xxx.yyy.zzz.0/25
> http_access allow net5
> icp_access allow net5
> miss_access allow net5

This looks odd.. normally http_access is based on source, not
destination. The above only allows access to servers in net5.

> cache_peer_access proxyA.tanaka.co.jp deny net5
> cache_peer_access proxyB.tanaka.co.jp allow net5

This further restricts Squids peer selection. It denies Squid to use
proxyA for net5 destinations, and denies it to use proxyB for any
destinations except net5.

> Before
>
> acl local-server dst xxx.0.0.0/25
> never_direct deny local-server
> never_direct allow net5
> never_direct allow all

This makes me a bit confused. You probably want

always_direct allow local-server
never_direct allow all

to have Squid always go direct to servers matching local-server and
never go direct for anything else.

> After
>
> never_direct deny local-server
> never_direct allow net5
> acl local-server dst xxx.0.0.0/25
> never_direct allow all

Don't think this works. The first never_direct line refers to
local-server which is not yet defined. You should get an syntax error
warning on this (try "squid -k parse"). See also above.

I am not sure I actually understand what you are trying to acheive, but
I suppose it is

for destinations in domain .dom1.tanaka.co.jp or with destination IP
address in xxx.yyy.zzz.0/25 use proxyB, for all else use proxyA.

Proposed configuration:

acl dom1 dstdomain .dom1.tanaka.co.jp
acl net5 dst xxx.yyy.zzz.0/25

cache_peer_access proxyA.tanaka.co.jp deny dom1
cache_peer_access proxyA.tanaka.co.jp deny net5

cache_peer_access proxyB.tanaka.co.jp allow dom1
cache_peer_access proxyB.tanaka.co.jp allow net5

See also above for never_direct/always_direct settings to force Squid to
use a parent (or not).

--
Henrik Nordstrom
Squid Hacker