Re: [squid-users] Forwarding problems from Amos Jeffries on 2009-04-20 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 20 Apr 2009 21:53:39 +1200

Pandu E Poluan wrote:
> Nope.
>
> acl fastsites dstdomain 206.190.39.216
>
> Still result in the "Unable to forward this request" error.
>
> I'm a bit stumped here... how to prevent ProxyB and ProxyC from
> forwarding that IP address?
>
> Just FYI, here's a snippet of ProxyB's squid.conf:
>
> # snippet of ProxyB squid.conf
> #
> # This is ProxyC
> cache_peer 172.31.160.99 sibling 3128 4827 htcp
> # And this is ProxyA
> cache_peer 172.31.2.103 sibling 3128 4827 htcp weight=2 allow-miss
> #
> # ProxyA selectively becomes parent for these domains
> neighbor_type_domain 172.31.2.103 parent .yahoo.com .yimg.com
> .yahooapis.com
> neighbor_type_domain 172.31.2.103 parent .google.com .google.co.id
> .gmail.com
> #
> acl fastsites dstdomain .yahoo.com
> acl fastsites dstdomain .yimg.com
> acl fastsites dstdomain .yahooapis.com
> acl fastsites dstdomain .google.com
> acl fastsites dstdomain .gmail.com
> #
> never_direct allow fastsites
>

Perhapse you need to add:

shared:
acl fuIps dst 206.190.39.216

proxyC:

   cache_peer proxyB deny fuIps
   cache_peer proxyA allow fuIps
   never_direct fuIps

proxyB:

   cache_peer proxyC deny fuIps
   cache_peer proxyA allow fuIps
   never_direct fuIps

proxyA:
always_direct fuIps

cache_peer 172.31.160.99 allow !fastsites !fuIps
cache_peer 172.31.2.103 allow !fuIps

>
> As you can see, I don't specify 206.190.39.216 in never_direct or
> neighbor_type_domain, but ProxyB still forwards requests to
> 206.190.39.216 toward ProxyA.

sometimes, on a weighted basis. sometimes it will try direct, and
sometimes through proxyC. mayhap its netdb is recording the proxyA as
best route when proxyC says it goes through proxyA as well.

>
> I'm not sure I want to put those addresses in always_direct ... beats
> the purpose of Squid mesh (between ProxyB and ProxyC), IMO.

Yes this is setting up a break in the mesh.

> But for the
> life of me, I still can't figure out how to make ProxyA receive those
> forwards.

That is what never_direct and cache_peer_access do at proxyB and proxyC.

>
>
> Rgds.
>
>
> [p]
>
>
> Amos Jeffries wrote:
>> Pandu E Poluan wrote:
>>> Hi all!
>>>
>>> I've configured my proxies correctly, and now they work as expected.
>>>
>>> * Requests to fast sites get forwarded to ProxyA, which uses FastInet
>>> * Other requests gets handled directly by ProxyB and ProxyC, which
>>> uses SlowInet
>>>
>>> There's a problem, however, that recently cropped up.
>>>
>>> I've added ".google.com" and "mail.yahoo.com" as a fast sites.
>>> Accesses to Google and Yahoo Mail (mail.yahoo.com) gets accelerated,
>>> as expected.
>>>
>>> However, when trying to access the Google cache, apparently the URL
>>> uses an IP address instead of a domain name, e.g. "72.14.192.66"
>>> Same situation happened when accessing an attachment in Yahoo Mail,
>>> it uses an IP address instead of domain name, e.g. "206.190.39.216"
>>>
>>> I keep getting errors:
>>>
>>> ===== Error message snip =====
>>>
>>> The following error was encountered:
>>>
>>> * * Unable to forward this request at this time. *
>>>
>>> This request could not be forwarded to the origin server or to any
>>> parent caches. The most likely cause for this error is that:
>>>
>>> * The cache administrator does not allow this cache to make direct
>>> connections to origin servers, and
>>> * All configured parent caches are currently unreachable.
>>>
>>> ===== Error message snip =====
>>>
>>> I think ProxyB and ProxyC somehow performed a reverse DNS, and
>>> forwards the IP-address-based requests to ProxyA, while ProxyA only
>>> allows explicit URLs in its miss_access directive.
>>>
>>> I've tried editing the ProxyA's squid.conf like follows:
>>>
>>> #snippet of ProxyA squid.conf
>>> acl fastsites dstdomain .yahoo.com
>>> acl fastsites dstdomain .yimg.com
>>> acl fastsites dstdomain .yahooapis.com
>>> acl fastsites dstdomain .google.com
>>> acl fastsites dstdomain .gmail.com
>>> acl fastsites dstdomain 206.190.39.216
>>> #
>>> acl fastsites_ip dst 72.14.192.0/18
>>> acl fastsites_ip dst 206.190.39.216
>>> #
>>> miss_access allow fastsites
>>> miss_access allow fastsites_ip
>>> miss_access deny siblings
>>>
>>>
>>> But to no avail.
>>>
>>> Any suggestions?
>>>
>>
>> Does adding the IP-text "206.190.39.216" to the dstdomain ACL work?
>> Squid should try an exact text match before doing rDNS.
>> Otherwise you may be stuck with an url_regex pattern for those.
>>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7

Received on Mon Apr 20 2009 - 09:53:39 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 20 2009 - 12:00:02 MDT