>>Hello all,
>>
>>something I do not understand .. I plan enabling ICP between my squid
>proxy web caches hosted in internal lan area and my internet gateways
>hosted in dmz >area.
>>
>>Everything seem to work correctly, I see the ICP packets exchanged
>between all devices except I always receive this type of error message
>...
>>
>> 2009/04/27 16:59:27| temporary disabling (Forbidden) digest from
>10.66.9.193
>>
>>Let we have a look on the configs in place ... All package installed
>are compiled with '--enable-cache-digests'.
>>
>>Squid (2.6.12 & 2.7.4) dmz internet gateways config ...
>>
>>icp_port 3130
>>log_icp_queries off
>>icp_hit_stale off
>>icp_access allow srcip_internalproxies
>>icp_access deny all
>>
>>Squid (2.6.12) internal Proxy web caches config ...
>>
>>icp_port 3130
>>icp_query_timeout 0
>>maximum_icp_query_timeout 50 # (milliseconds)
>>dead_peer_timeout 1 second
>>log_icp_queries off
>>icp_hit_stale off
>>icp_access deny all
>>
>>cache_peer @my_cache_parent_1@ parent 8080 3130 weight=2
>>cache_peer @my_cache_parent_2@ parent 8080 3130 weight=1
>>
>>Is that normal I get this message or is there something I did not
>understand with ICP and digest (e.g. not compatible) ??
>>
>>Did I forget to add some parameters next to my cache_peer entries (e.g
>no-digest ..) ?
>>
>
>any idea ???
I finally found why my client caches cannot get store_digest information
from parent caches. This is because client caches receive a 'Forbidden'
message when requesting the url
http://servername:8080/squid-internal-periodic/store_digest
my parent cache config ...
...
http_port 127.0.0.1:8080
http_port 1.2.3.4:8080
...
acl localhost src 127.0.0.1/32
acl manager proto cache_object
acl connect method CONNECT
acl safe_port port 80
acl safe_port port 8080
acl safe_port port 21
acl safe_port port 443
...
http_access allow manager localhost
http_access allow manager manager_hosts
http_access deny manager
http_access allow purge localhost
http_access allow purge manager_hosts
http_access deny purge
http_access allow localhost
http_reply_access allow localhost
http_access deny connect !SSL
http_access deny !safe_port
http_access allow srcip_internalproxies
http_reply_access allow srcip_internalproxies
http_reply_access deny all
http_access deny all
After many many tries I noticed that denying 'connect' and 'safe_port'
access lists at parent caches level blocked the clients so seems that
requesting something to port 8080 is forbidden but I got no problem to
reach the net ...
When going forward into my tests, I just noticed that internal
/squid-internal-periodic/ url path is always listening on port 3128 even
if squid process is listening on another port like 8080 in my case.
In other words if I add 'acl safe_port port 3128' in my parent config
and I send the query
http://servername:3128/squid-internal-periodic/store_digest, the issue
is solved ...
Is this some normal behaviour, a bug or did I make something wrong ??
>many thks to help me.
>Vincent
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
Received on Sun May 03 2009 - 18:01:45 MDT
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 12:00:01 MDT