Re: [squid-users] DNS-based reverse proxy peer selection, 2.5 vs 2.6 from Amos Jeffries on 2008-02-19 (squid-users)

From: Amos Jeffries <squid3@dont-contact.us>
Date: Wed, 20 Feb 2008 08:28:18 +1300

Sven Edge wrote:
>> From: Amos Jeffries [mailto:squid3@treenet.co.nz]
>> Sven Edge wrote:
>>>> From: Amos Jeffries [mailto:squid3@treenet.co.nz]
>>>>
>>> I think that's what I'm trying, and it fails to find a web server to
>>> talk to.
>> Hmm, you can do a spot-check on squid with
>> "squidclient mgr:ipcache | grep www.scran.ac.uk"
>
> It's definitely doing the lookup and caching the right destination IP
> addresses.
>
>>> 2008/02/19 10:14:30| fwdStart: 'http://www.scran.ac.uk/'
>>> 2008/02/19 10:14:30| storeLockObject: key
>>> 'B13D9EB5D8D657257342FBE9C74C77D8' count=3
>>> 2008/02/19 10:14:30| peerSelect: http://www.scran.ac.uk/
>>> 2008/02/19 10:14:30| storeLockObject: key
>>> 'B13D9EB5D8D657257342FBE9C74C77D8' count=4
>>> 2008/02/19 10:14:30| cbdataLock: 0xdc6968
>>> 2008/02/19 10:14:30| peerSelectFoo: 'GET www.scran.ac.uk'
>>> 2008/02/19 10:14:30| peerSelectFoo: direct = DIRECT_NO
>> Looks like possibly a never_direct or a deny ACL getting in the way.
>
> Turning up debug_options, it happily gets past the ACL stuff, including
> a destination check on a correctly-resolved web server ip address, spits
> out a "The request GET ... is ALLOWED, because..." message, and then
> does peerSelect stuff and dies.
>
> Poking around the source for the squid-2.6.STABLE17 release currently in
> Fedora, there's appears to be another source of DIRECT_NO besides a
> never_direct, in peer_select.c.
> http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid/src/peer_select.c
> I've got version 1.131, where there's an "if
> (request->flags.accelerated)" that can cause a DIRECT_NO, but the most
> recent version 1.134 has changed that. Not sure what the code's testing
> for in either version, but from the commit comment it sounds like up to
> now 2.6 was deliberately blocking direct access when in accelerator
> mode.
>
> Maybe it's just a case of waiting for the next release?

Aha, sounds like that yes. Fortunately Stable 18 is out already so if
the change was included there you could use that one.
Otherwise the 2.6 daily snapshot should be stable enough to use, just
with a little testing required to be sure of it.

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

Received on Tue Feb 19 2008 - 12:27:59 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST