Pandu E Poluan wrote:
> Okay, some experimentations I made:
>
> I added the following lines on ProxyB:
>
> # lines from Amos' tip
> acl fastsites dstdomain .need-fast-inet.com
> acl fastsites dstdomain .another-need-fast-inet.com
> never_direct allow fastsites
>
> Changes on ProxyA:
>
> # lines from Amos' tip
> acl fastsites dstdomain .need-fast-inet.com
> acl fastsites dstdomain .another-need-fast-inet.com
> # also from Amos' tip
> miss_access allow fastsites
> miss_access deny siblings
> miss_access allow all
> # and this one from Amos' tip
> always_direct allow fastsites
>
> My browser can't access .need-fast-inet.com
>
> I further changed the following lines to ProxyB:
>
> # added "weight=2 allow-miss"
> cache_peer ProxyA sibling 3128 4827 htcp weight=2 allow-miss
> # added the following line
> neighbor_type_domain ProxyA parent .need-fast-inet.com
> .another-need-fast-inet.com
>
> Now, I can access .need-fast-inet.com through ProxyB.
>
> But, isn't that "allow-miss" dangerous?
>
> Any comments?
>
It's dangerous to use it widely. And particularly on both ends of the
peering link (ie DONT place it in proxyA config for proxyB/C).
It's safe to do on a one-way link. The miss_access controls you have in
place at each of your Squid perform explicitly the same actions. So
AFAIK you should not hit any of the loop cases that may occur.
Test without the 'allow-miss' option though. I believe the setting
neighbor_type_domain disables it more specifically for the objectX
requests via the change to parent link.
Amos
>
> Rgds.
>
>
> [p]
>
>
> Pandu E Poluan wrote:
>> Hmmm... strange...
>>
>> Now, instead of accessing the site objectX, ProxyB and ProxyC users
>> can't access the site at all...
>>
>> But no SQUID error page shows up... the browser simply times out...
>> Accessing URLs other thatn objectX still works...
>>
>> objectX is accessible via ProxyA, though.
>>
>> The changes I made currently:
>>
>> On ProxyA:
>>
>> acl objectX dstdomain ...
>> miss_access allow objectX
>> always_direct allow objectX
>>
>> On ProxyB/C:
>>
>> acl objectX dstdomain ...
>> never_direct allow objectX
>>
>> I'll experiment with the settings... maybe also "miss_access allow
>> objectX" on ProxyB and ProxyC?
>>
>>
>> Rgds.
>>
>>
>>
>> Pandu E Poluan wrote:
>>> Aha! Thanks a lot, Amos :-)
>>>
>>> I have been suspicious all along that the solution uses miss_access
>>> and never_direct ... but never saw an example anywhere.
>>>
>>> Again, much thanks!
>>>
>>> ** rushes to his proxies to configure them **
>>>
>>>
>>> Rgds.
>>>
>>>
>>> [p]
>>>
>>>
>>> Amos Jeffries wrote:
>>>> Pandu E Poluan wrote:
>>>>> The URL is allowed to be accessed by everyone, ProxyA-users, and
>>>>> ProxyB/C-users alike.
>>>>>
>>>>> I just want the URL to be retrieved by ProxyA, because accessing
>>>>> that certain URL through ProxyB/C is too damn slow (pardon the
>>>>> language).
>>>>>
>>>>>
>>>>> Rgds.
>>>>>
>>>>
>>>> Okay. Thought it might be something like that, just wanted to be
>>>> sure before fuzzing the issue.
>>>>
>>>> You will need to create an ACL just for this URL (an others you want
>>>> to do the same).
>>>> acl objectX ...
>>>>
>>>>
>>>> proxyA needs to allow peers past the miss_access block.
>>>>
>>>> proxyA:
>>>> miss_access allow objectX
>>>> miss_access deny siblings
>>>> miss_access allow all
>>>>
>>>>
>>>> siblings must never go direct to the object (always use their parent
>>>> peer)
>>>>
>>>> proxyB/proxyC:
>>>> never_direct allow objectX
>>>>
>>>> Amos
>>>>
>>>>>
>>>>> Amos Jeffries wrote:
>>>>>> Pandu E Poluan wrote:
>>>>>>> Anyone care to comment on my email?
>>>>>>>
>>>>>>> And another question: Is it possible to use miss_access with a
>>>>>>> dstdomain acl?
>>>>>>>
>>>>>>>
>>>>>>> Rgds.
>>>>>>>
>>>>>>>
>>>>>>> Pandu E Poluan wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I want to know is there a way to force a URL to be retrieved by
>>>>>>>> only a certain proxy, while ensuring that meshing works.
>>>>>>>>
>>>>>>>> Here's the scenario:
>>>>>>>>
>>>>>>>> I have a ProxyA ==> connects to Internet via a fast connection
>>>>>>>> "InetFast"
>>>>>>>> This proxy is used by a group of users that really need fast
>>>>>>>> connection.
>>>>>>>>
>>>>>>>> I have other proxies ProxyB & ProxyC ==> connects to Internet
>>>>>>>> via a slower connection "InetSlow"
>>>>>>>> These proxies are used by the rest of the staff.
>>>>>>>>
>>>>>>>> I configured them all as siblings, with miss_access blocking
>>>>>>>> MISS requests between them, e.g.
>>>>>>>>
>>>>>>>> # Configuration snippet of ProxyA
>>>>>>>> cache_peer <ProxyB> sibling 3128 4827 htcp
>>>>>>>> cache_peer <ProxyC> sibling 3128 4827 htcp
>>>>>>>> acl siblings src <ProxyB>
>>>>>>>> acl siblings src <ProxyC>
>>>>>>>> miss_access deny siblings
>>>>>>>> miss_access allow all
>>>>>>>>
>>>>>>>> ProxyB & ProxyC both has similar config.
>>>>>>>>
>>>>>>>> ( The aim is to 'assist' other staffers using InetSlow so that
>>>>>>>> whatever has been retrieved by the InetFast users will be made
>>>>>>>> available to the rest of the staffs )
>>>>>>>>
>>>>>>>> Now, let's say there's this URL http://www.need-fast-inet.com/
>>>>>>>> that I want to be retrieved exclusively by ProxyA.
>>>>>>>>
>>>>>>>> How would I configure the peering relationships?
>>>>>>
>>>>>> If you can state the problem and the desired setup clearly in
>>>>>> single-sentence steps you have usually described the individual
>>>>>> config settings needed.
>>>>>>
>>>>>> Is the URL allowed to be fetched by the slow users through proxyB
>>>>>> into proxy A and then internet?
>>>>>>
>>>>
>>>>
>>>> Amos
>>>
>>
>
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6Received on Wed Apr 08 2009 - 05:17:06 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 08 2009 - 12:00:02 MDT