Pandu E Poluan wrote:
> Without "allow-miss", I get the error:
>
> *Valid document was not found in the cache and only-if-cached directive
> was specified.*
Okay, bet use it then. Should be safe enough in your setup.
Amos
>
> Strangely, doing the same on ProxyC causes an "Access Denied" error...
>
> Rgds
>
> [p]
>
> Amos Jeffries wrote:
>> Pandu E Poluan wrote:
>>> Okay, some experimentations I made:
>>>
>>> I added the following lines on ProxyB:
>>>
>>> # lines from Amos' tip
>>> acl fastsites dstdomain .need-fast-inet.com
>>> acl fastsites dstdomain .another-need-fast-inet.com
>>> never_direct allow fastsites
>>>
>>> Changes on ProxyA:
>>>
>>> # lines from Amos' tip
>>> acl fastsites dstdomain .need-fast-inet.com
>>> acl fastsites dstdomain .another-need-fast-inet.com
>>> # also from Amos' tip
>>> miss_access allow fastsites
>>> miss_access deny siblings
>>> miss_access allow all
>>> # and this one from Amos' tip
>>> always_direct allow fastsites
>>>
>>> My browser can't access .need-fast-inet.com
>>>
>>> I further changed the following lines to ProxyB:
>>>
>>> # added "weight=2 allow-miss"
>>> cache_peer ProxyA sibling 3128 4827 htcp weight=2 allow-miss
>>> # added the following line
>>> neighbor_type_domain ProxyA parent .need-fast-inet.com
>>> .another-need-fast-inet.com
>>>
>>> Now, I can access .need-fast-inet.com through ProxyB.
>>>
>>> But, isn't that "allow-miss" dangerous?
>>>
>>> Any comments?
>>>
>>
>> It's dangerous to use it widely. And particularly on both ends of the
>> peering link (ie DONT place it in proxyA config for proxyB/C).
>>
>> It's safe to do on a one-way link. The miss_access controls you have
>> in place at each of your Squid perform explicitly the same actions. So
>> AFAIK you should not hit any of the loop cases that may occur.
>>
>> Test without the 'allow-miss' option though. I believe the setting
>> neighbor_type_domain disables it more specifically for the objectX
>> requests via the change to parent link.
>>
>> Amos
>>
>>>
>>> Rgds.
>>>
>>>
>>> [p]
>>>
>>>
>>> Pandu E Poluan wrote:
>>>> Hmmm... strange...
>>>>
>>>> Now, instead of accessing the site objectX, ProxyB and ProxyC users
>>>> can't access the site at all...
>>>>
>>>> But no SQUID error page shows up... the browser simply times out...
>>>> Accessing URLs other thatn objectX still works...
>>>>
>>>> objectX is accessible via ProxyA, though.
>>>>
>>>> The changes I made currently:
>>>>
>>>> On ProxyA:
>>>>
>>>> acl objectX dstdomain ...
>>>> miss_access allow objectX
>>>> always_direct allow objectX
>>>>
>>>> On ProxyB/C:
>>>>
>>>> acl objectX dstdomain ...
>>>> never_direct allow objectX
>>>>
>>>> I'll experiment with the settings... maybe also "miss_access allow
>>>> objectX" on ProxyB and ProxyC?
>>>>
>>>>
>>>> Rgds.
>>>>
>>>>
>>>>
>>>> Pandu E Poluan wrote:
>>>>> Aha! Thanks a lot, Amos :-)
>>>>>
>>>>> I have been suspicious all along that the solution uses miss_access
>>>>> and never_direct ... but never saw an example anywhere.
>>>>>
>>>>> Again, much thanks!
>>>>>
>>>>> ** rushes to his proxies to configure them **
>>>>>
>>>>>
>>>>> Rgds.
>>>>>
>>>>>
>>>>> [p]
>>>>>
>>>>>
>>>>> Amos Jeffries wrote:
>>>>>> Pandu E Poluan wrote:
>>>>>>> The URL is allowed to be accessed by everyone, ProxyA-users, and
>>>>>>> ProxyB/C-users alike.
>>>>>>>
>>>>>>> I just want the URL to be retrieved by ProxyA, because accessing
>>>>>>> that certain URL through ProxyB/C is too damn slow (pardon the
>>>>>>> language).
>>>>>>>
>>>>>>>
>>>>>>> Rgds.
>>>>>>>
>>>>>>
>>>>>> Okay. Thought it might be something like that, just wanted to be
>>>>>> sure before fuzzing the issue.
>>>>>>
>>>>>> You will need to create an ACL just for this URL (an others you
>>>>>> want to do the same).
>>>>>> acl objectX ...
>>>>>>
>>>>>>
>>>>>> proxyA needs to allow peers past the miss_access block.
>>>>>>
>>>>>> proxyA:
>>>>>> miss_access allow objectX
>>>>>> miss_access deny siblings
>>>>>> miss_access allow all
>>>>>>
>>>>>>
>>>>>> siblings must never go direct to the object (always use their
>>>>>> parent peer)
>>>>>>
>>>>>> proxyB/proxyC:
>>>>>> never_direct allow objectX
>>>>>>
>>>>>> Amos
>>>>>>
>>>>>>>
>>>>>>> Amos Jeffries wrote:
>>>>>>>> Pandu E Poluan wrote:
>>>>>>>>> Anyone care to comment on my email?
>>>>>>>>>
>>>>>>>>> And another question: Is it possible to use miss_access with a
>>>>>>>>> dstdomain acl?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rgds.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Pandu E Poluan wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I want to know is there a way to force a URL to be retrieved
>>>>>>>>>> by only a certain proxy, while ensuring that meshing works.
>>>>>>>>>>
>>>>>>>>>> Here's the scenario:
>>>>>>>>>>
>>>>>>>>>> I have a ProxyA ==> connects to Internet via a fast connection
>>>>>>>>>> "InetFast"
>>>>>>>>>> This proxy is used by a group of users that really need fast
>>>>>>>>>> connection.
>>>>>>>>>>
>>>>>>>>>> I have other proxies ProxyB & ProxyC ==> connects to Internet
>>>>>>>>>> via a slower connection "InetSlow"
>>>>>>>>>> These proxies are used by the rest of the staff.
>>>>>>>>>>
>>>>>>>>>> I configured them all as siblings, with miss_access blocking
>>>>>>>>>> MISS requests between them, e.g.
>>>>>>>>>>
>>>>>>>>>> # Configuration snippet of ProxyA
>>>>>>>>>> cache_peer <ProxyB> sibling 3128 4827 htcp
>>>>>>>>>> cache_peer <ProxyC> sibling 3128 4827 htcp
>>>>>>>>>> acl siblings src <ProxyB>
>>>>>>>>>> acl siblings src <ProxyC>
>>>>>>>>>> miss_access deny siblings
>>>>>>>>>> miss_access allow all
>>>>>>>>>>
>>>>>>>>>> ProxyB & ProxyC both has similar config.
>>>>>>>>>>
>>>>>>>>>> ( The aim is to 'assist' other staffers using InetSlow so that
>>>>>>>>>> whatever has been retrieved by the InetFast users will be made
>>>>>>>>>> available to the rest of the staffs )
>>>>>>>>>>
>>>>>>>>>> Now, let's say there's this URL http://www.need-fast-inet.com/
>>>>>>>>>> that I want to be retrieved exclusively by ProxyA.
>>>>>>>>>>
>>>>>>>>>> How would I configure the peering relationships?
>>>>>>>>
>>>>>>>> If you can state the problem and the desired setup clearly in
>>>>>>>> single-sentence steps you have usually described the individual
>>>>>>>> config settings needed.
>>>>>>>>
>>>>>>>> Is the URL allowed to be fetched by the slow users through
>>>>>>>> proxyB into proxy A and then internet?
>>>>>>>>
>>>>>>
>>>>>>
>>>>>> Amos
>>>>>
>>>>
>>>
>>
>>
>
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6Received on Wed Apr 08 2009 - 07:26:44 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 08 2009 - 12:00:02 MDT