I have a squid hierarchy consisting of a pair of load-balanced siblings
and a parent that sits on the security perimeter. All three caches are
configured to use cache digests.
Load balancing is accomplished using a proxy.pac file that defines a
simple hashing algorithm that selects one of the load-balanced siblings
to service the request. To address the case where the selected sibling
might be unavailable, the its sibling is defined as an alternate.
There are approximately 80 locations in our corporate wide area network.
The Squid hierarchy, described above, is located at my facility and it
serves, primarily, only systems on the local area network.
What I would like to happen is the following.
(1) If the web site is located in my facility, I want the siblings
to access the web site directly.
(2) If the web site is connected to our corporate wide area network,
I want the siblings to check each others cache for the URI and
go directly the the web site if the content has not been cached.
(3) If the web site is external to our corporate wide area network,
I want the siblings to forward the request to the parent cache
if the content has not been cached by the other sibling.
Configuring squid to use the cache digest appears to solve the problem of
checking whether or not the content has already been cached. It does have
the effect of eliminating most of the ICP traffic.
I've defined the following acls.
(1) acl GDAIS_CATO dstdomain .cato.gd-ais.com
(2) acl GDAIS_WAN dstdomain .gd-ais.com
acl GDAIS_WAN dst 166.16.0.0/16
And, I have the following defined.
(1) always_direct allow GDAIS_CATO
(2) never_direct deny GDAIS_WAN
never_direct allow all
This appears to achieve my goals with the exception of the one internal
location that insists on using IP addresses. They started doing this
because their DNS servers wouldn't resolve the domain names correctly due
to configuration errors.
The problem that I am having is that HTTP requests that use an IP address
are being forwarded to the parent cache. Can you not combine "dstdomain"
and "dst" in the same acl?
How does Squid process a request that uses an IP address?
Merton Campbell Crockett
-- BEGIN: vcard VERSION: 3.0 FN: Merton Campbell Crockett ORG: General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet: mcc@CATO.GD-AIS.COM TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg: +1(805)377-6762 END: vcardReceived on Sat Oct 22 2005 - 11:42:46 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:05 MST