Without "allow-miss", I get the error:
*Valid document was not found in the cache and only-if-cached directive
was specified.*
Strangely, doing the same on ProxyC causes an "Access Denied" error...
Rgds
[p]
Amos Jeffries wrote:
> Pandu E Poluan wrote:
>> Okay, some experimentations I made:
>>
>> I added the following lines on ProxyB:
>>
>> # lines from Amos' tip
>> acl fastsites dstdomain .need-fast-inet.com
>> acl fastsites dstdomain .another-need-fast-inet.com
>> never_direct allow fastsites
>>
>> Changes on ProxyA:
>>
>> # lines from Amos' tip
>> acl fastsites dstdomain .need-fast-inet.com
>> acl fastsites dstdomain .another-need-fast-inet.com
>> # also from Amos' tip
>> miss_access allow fastsites
>> miss_access deny siblings
>> miss_access allow all
>> # and this one from Amos' tip
>> always_direct allow fastsites
>>
>> My browser can't access .need-fast-inet.com
>>
>> I further changed the following lines to ProxyB:
>>
>> # added "weight=2 allow-miss"
>> cache_peer ProxyA sibling 3128 4827 htcp weight=2 allow-miss
>> # added the following line
>> neighbor_type_domain ProxyA parent .need-fast-inet.com
>> .another-need-fast-inet.com
>>
>> Now, I can access .need-fast-inet.com through ProxyB.
>>
>> But, isn't that "allow-miss" dangerous?
>>
>> Any comments?
>>
>
> It's dangerous to use it widely. And particularly on both ends of the
> peering link (ie DONT place it in proxyA config for proxyB/C).
>
> It's safe to do on a one-way link. The miss_access controls you have
> in place at each of your Squid perform explicitly the same actions. So
> AFAIK you should not hit any of the loop cases that may occur.
>
> Test without the 'allow-miss' option though. I believe the setting
> neighbor_type_domain disables it more specifically for the objectX
> requests via the change to parent link.
>
> Amos
>
>>
>> Rgds.
>>
>>
>> [p]
>>
>>
>> Pandu E Poluan wrote:
>>> Hmmm... strange...
>>>
>>> Now, instead of accessing the site objectX, ProxyB and ProxyC users
>>> can't access the site at all...
>>>
>>> But no SQUID error page shows up... the browser simply times out...
>>> Accessing URLs other thatn objectX still works...
>>>
>>> objectX is accessible via ProxyA, though.
>>>
>>> The changes I made currently:
>>>
>>> On ProxyA:
>>>
>>> acl objectX dstdomain ...
>>> miss_access allow objectX
>>> always_direct allow objectX
>>>
>>> On ProxyB/C:
>>>
>>> acl objectX dstdomain ...
>>> never_direct allow objectX
>>>
>>> I'll experiment with the settings... maybe also "miss_access allow
>>> objectX" on ProxyB and ProxyC?
>>>
>>>
>>> Rgds.
>>>
>>>
>>>
>>> Pandu E Poluan wrote:
>>>> Aha! Thanks a lot, Amos :-)
>>>>
>>>> I have been suspicious all along that the solution uses miss_access
>>>> and never_direct ... but never saw an example anywhere.
>>>>
>>>> Again, much thanks!
>>>>
>>>> ** rushes to his proxies to configure them **
>>>>
>>>>
>>>> Rgds.
>>>>
>>>>
>>>> [p]
>>>>
>>>>
>>>> Amos Jeffries wrote:
>>>>> Pandu E Poluan wrote:
>>>>>> The URL is allowed to be accessed by everyone, ProxyA-users, and
>>>>>> ProxyB/C-users alike.
>>>>>>
>>>>>> I just want the URL to be retrieved by ProxyA, because accessing
>>>>>> that certain URL through ProxyB/C is too damn slow (pardon the
>>>>>> language).
>>>>>>
>>>>>>
>>>>>> Rgds.
>>>>>>
>>>>>
>>>>> Okay. Thought it might be something like that, just wanted to be
>>>>> sure before fuzzing the issue.
>>>>>
>>>>> You will need to create an ACL just for this URL (an others you
>>>>> want to do the same).
>>>>> acl objectX ...
>>>>>
>>>>>
>>>>> proxyA needs to allow peers past the miss_access block.
>>>>>
>>>>> proxyA:
>>>>> miss_access allow objectX
>>>>> miss_access deny siblings
>>>>> miss_access allow all
>>>>>
>>>>>
>>>>> siblings must never go direct to the object (always use their
>>>>> parent peer)
>>>>>
>>>>> proxyB/proxyC:
>>>>> never_direct allow objectX
>>>>>
>>>>> Amos
>>>>>
>>>>>>
>>>>>> Amos Jeffries wrote:
>>>>>>> Pandu E Poluan wrote:
>>>>>>>> Anyone care to comment on my email?
>>>>>>>>
>>>>>>>> And another question: Is it possible to use miss_access with a
>>>>>>>> dstdomain acl?
>>>>>>>>
>>>>>>>>
>>>>>>>> Rgds.
>>>>>>>>
>>>>>>>>
>>>>>>>> Pandu E Poluan wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I want to know is there a way to force a URL to be retrieved
>>>>>>>>> by only a certain proxy, while ensuring that meshing works.
>>>>>>>>>
>>>>>>>>> Here's the scenario:
>>>>>>>>>
>>>>>>>>> I have a ProxyA ==> connects to Internet via a fast connection
>>>>>>>>> "InetFast"
>>>>>>>>> This proxy is used by a group of users that really need fast
>>>>>>>>> connection.
>>>>>>>>>
>>>>>>>>> I have other proxies ProxyB & ProxyC ==> connects to Internet
>>>>>>>>> via a slower connection "InetSlow"
>>>>>>>>> These proxies are used by the rest of the staff.
>>>>>>>>>
>>>>>>>>> I configured them all as siblings, with miss_access blocking
>>>>>>>>> MISS requests between them, e.g.
>>>>>>>>>
>>>>>>>>> # Configuration snippet of ProxyA
>>>>>>>>> cache_peer <ProxyB> sibling 3128 4827 htcp
>>>>>>>>> cache_peer <ProxyC> sibling 3128 4827 htcp
>>>>>>>>> acl siblings src <ProxyB>
>>>>>>>>> acl siblings src <ProxyC>
>>>>>>>>> miss_access deny siblings
>>>>>>>>> miss_access allow all
>>>>>>>>>
>>>>>>>>> ProxyB & ProxyC both has similar config.
>>>>>>>>>
>>>>>>>>> ( The aim is to 'assist' other staffers using InetSlow so that
>>>>>>>>> whatever has been retrieved by the InetFast users will be made
>>>>>>>>> available to the rest of the staffs )
>>>>>>>>>
>>>>>>>>> Now, let's say there's this URL http://www.need-fast-inet.com/
>>>>>>>>> that I want to be retrieved exclusively by ProxyA.
>>>>>>>>>
>>>>>>>>> How would I configure the peering relationships?
>>>>>>>
>>>>>>> If you can state the problem and the desired setup clearly in
>>>>>>> single-sentence steps you have usually described the individual
>>>>>>> config settings needed.
>>>>>>>
>>>>>>> Is the URL allowed to be fetched by the slow users through
>>>>>>> proxyB into proxy A and then internet?
>>>>>>>
>>>>>
>>>>>
>>>>> Amos
>>>>
>>>
>>
>
>
-- *Pandu E Poluan* *Panin Sekuritas* IT Manager / Operations & Audit Phone : +62-21-515-3055 ext 135 Fax : +62-21-515-3061 Mobile : +62-856-8400-426 e-mail : pandu_poluan_at_paninsekuritas.co.id <mailto:pandu_poluan_at_paninsekuritas.co.id> Y!M : hands0me_irc MSN : si-ganteng_at_live.com GTalk : pandu.cakep_at_gmail.comReceived on Wed Apr 08 2009 - 07:12:49 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 08 2009 - 12:00:02 MDT