[squid-users] ACL problem, can not get never_direct to work.

From: Dean Weimer <dweimer_at_orscheln.com>
Date: Thu, 11 Nov 2010 11:04:58 -0600

I think I am going nuts, because I can't see what I am doing wrong here, I am trying to send a group of domains through a parent proxy because the proxy forwarding them doesn't have direct access to the websites. These ACL list are before any others in the configuration, but the domains are still trying to go direct.

# The Parent Configuration
cache_peer 10.50.20.6 parent 8080 8181 name=PROXY3 no-query no-digest

#The ACL lines
acl InternalDNS dstdomain "/usr/local/squid/etc/internal.dns.acl"

## Put this in once to verify they above ACL was actually working for the domains
## http_access deny InternalDNS
## With above uncommented, I got access denied as expected

## Here is where I am doing something wrong, that I cannot figure out
never_direct allow InternalDNS
always_direct allow !InternalDNS
cache_peer_access PROXY3 allow InternalDNS
cache_peer_access PROXY3 deny all

All sites in the ACL still attempt to go direct instead of forwarding to the parent

Squid -k parse shows no errors

Squid -k reconfigure was run, Output from the cache.log shows the parent was configured:
2010/11/11 16:43:04| Configuring Parent 10.50.20.6/8080/8181
2010/11/11 16:43:04| Loaded Icons.
2010/11/11 16:43:04| Ready to serve requests.

No errors are present after this in the cache.log, but the access.log still shows the sites going direct:
1289494760.992 5408 10.100.10.9 TCP_MISS/000 0 GET http://www.orscheln.com/ - DIRECT/www.orscheln.com -

When I had the http_access deny line in to verify the domains were correctly being seen by the acl:
1289493703.745 0 10.100.10.9 TCP_DENIED/403 2540 GET http://www.orscheln.com/ - NONE/- text/html

Thanks,
     Dean Weimer
     Network Administrator
     Orscheln Management Co
Received on Thu Nov 11 2010 - 17:05:10 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 12 2010 - 12:00:02 MST