Re: [squid-users] proxy server chained to another proxy server

> I'm trying to set up a proxy server on my home machine (nissan) that
> forwards *all* requests over a VPN connection to a proxy server
> (webcache.sfbay.sun.com, *not* running squid) on Sun's internal network
> (SWAN). Here's the changes to squid.conf that I've made:

NP: the changes are all very well, but what is the resulting config?

I can see nothing about "cache_peer_access allow all" in there. Is it
because it started that way or is it really missing?

>
> 589a590
>> acl localnet src 192.168.1.0/255.255.255.0
> 633a635
>> http_access allow localnet
> 939c941
> < http_port 3128
> ---
>> http_port 8180
> 1500a1503
>> cache_peer webcache.sfbay.sun.com parent 8080 7 no-query

Which configured 'webcache.sfbay.sun.com' cannot be resolved, ergo cannot
be used. That is your failure when never_direct is set properly.

> 2974a2978
>> cache_mgr shannon
> 3017a3022
>> cache_effective_group nobody
> 3033a3039
>> visible_hostname nissan.home.sfbay.sun.com
> 4071a4078
>> #never_direct allow all

That is needed to force all requests to use applicable peer.
Without it squid will sometimes/usually go direct. There is your timeout
failure when never_direct is not used.

> 4219a4227
>> dns_testnames localhost
>
> I've tried adding "default" to the cache_perr line, but it makes
> no difference.
>
> My /etc/resolv.conf is (these are all Sun-internal DNS servers):
>
> domain sfbay.sun.com
> search sun.com sfbay.sun.com
> nameserver 129.146.11.51
> nameserver 129.145.155.226
> nameserver 129.147.62.34

When passing to peers, DNS is rarely used. Just once in your config to
find the peer IP. And possibly in any unknown ACL that require DNS.
Yours should not be needing it.

>
>
> I'm running into these problems:
>
> 1. My home machine uses Sun's internal sfbay DNS servers when connected
> via
> VPN, but these DNS servers can't resolve internet host names, thus my
> dns_testnames change. But really, I don't understand why it needs to
> resolve
> *any* hostnames if I set it up to proxy everything. Is there no way to
> disable DNS lookups entirely?

Your cache_peer config REQUIRES squid to lookup the IP of the peer on
startup. If that fails it ignores the peer for sanity, and dies.

Place the IP of the peer directly into your squid.conf.

>
> 2. I think the never_direct entry above should cause it to proxy
> everything
> to the parent proxy server, is that correct? With that line enabled, all
> my requests time out. With that line disabled, it can at least proxy for
> requests on SWAN.

Correct. Since squid cannot go direct AND the parent peer cannot be
resolved it dies horribly. With default this just triples the timout
length.

>
> 3. Probably related to the above problems, with never_direct commented
> out,
> requests to (e.g.) sunweb.central fail, but requests to
> sunweb.central.sun.com
> work. DNS lookups from my home machine *do* resolve "sunweb.central".
>
> 4. Even when things are more or less working, it's darn slow. The first
> request seems to take forever to respond, and subsequent requests aren't
> much better. It took minutes to display the sunweb.central page.
>
> Any idea what I'm doing wrong?

see above.

>
> I'm using squid-2.6.STABLE16 on Solaris 10, which is part of Sun's
> "Cool Stack" download. http://cooltools.sunsource.net/coolstack/
>
> Note that I am also running a version of the Netscape proxy server on my
> home machine and it's able to handle this networking configuration just
> fine.
>
> Thanks for your help!
>
Received on Mon Mar 03 2008 - 15:47:51 MST