Re: [squid-users] Issue with always_direct and local hosts

After enabling debug_options 28,3 & 44,3 I can see that Squid is
processing my ACLs exactly as I would expect (log dump below). Squid
is identifying that requests for my intranet should be going direct
and yet I am still receiving a Websense error page, indicating that
this is not the case. There is clearly something else going on here
that I do not yet understand.

Can anyone advise what other factors would influence whether Squid
connects directly or through a parent cache?

Thanks,
Chris

Cache.log for a single request for intranet.mydomain.co.uk with
debug_options 28,3 44,3:
----------------------------------------------------------------------------------------------------------
2010/11/18 16:40:27| aclCheck: checking 'http_access allow all'
2010/11/18 16:40:27| aclMatchAclList: checking all
2010/11/18 16:40:27| aclMatchAcl: checking 'acl all src all'
2010/11/18 16:40:27| aclMatchIp: '10.128.210.121' found
2010/11/18 16:40:27| aclMatchAclList: returning 1
2010/11/18 16:40:27| aclCheck: match found, returning 1
2010/11/18 16:40:27| aclCheckCallback: answer=1
2010/11/18 16:40:27| peerSelect: http://intranet.mydomain.co.uk/
2010/11/18 16:40:27| peerSelectFoo: 'GET intranet.mydomain.co.uk'
2010/11/18 16:40:27| aclCheck: checking 'always_direct allow localdomain'
2010/11/18 16:40:27| aclMatchAclList: checking localdomain
2010/11/18 16:40:27| aclMatchAcl: checking 'acl localdomain dstdomain
.mydomain.co.uk'
2010/11/18 16:40:27| aclMatchDomainList: checking 'intranet.mydomain.co.uk'
2010/11/18 16:40:27| aclMatchDomainList: 'intranet.mydomain.co.uk' found
2010/11/18 16:40:27| aclMatchAclList: returning 1
2010/11/18 16:40:27| aclCheck: match found, returning 1
2010/11/18 16:40:27| aclCheckCallback: answer=1
2010/11/18 16:40:27| peerCheckAlwaysDirectDone: 1
2010/11/18 16:40:27| peerSelectFoo: 'GET intranet.mydomain.co.uk'
2010/11/18 16:40:27| peerSelectFoo: direct = DIRECT_YES
2010/11/18 16:40:27| peerSelectCallback: http://intranet.mydomain.co.uk/
2010/11/18 16:40:27| aclMatchAclList: checking all
2010/11/18 16:40:27| aclMatchAcl: checking 'acl all src all'
2010/11/18 16:40:27| aclMatchIp: '10.128.210.121' found
2010/11/18 16:40:27| aclMatchAclList: returning 1
2010/11/18 16:40:27| aclCheck: checking 'http_reply_access allow all'
2010/11/18 16:40:27| aclMatchAclList: checking all
2010/11/18 16:40:27| aclMatchAcl: checking 'acl all src all'
2010/11/18 16:40:27| aclMatchIp: '10.128.210.121' found
2010/11/18 16:40:27| aclMatchAclList: returning 1
2010/11/18 16:40:27| aclCheck: match found, returning 1
2010/11/18 16:40:27| aclCheckCallback: answer=1
----------------------------------------------------------------------------------------------------------

On 18 November 2010 08:14, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 18/11/10 08:35, Chris Gallacher wrote:
>>
>> Hello,
>>
>> I am experiencing issues when trying to configure Squid to bypass my
>> companies parent proxy for local hosts. My configuration is as
>> follows:
>>
>> (User Facing Proxy - Squid)<->  (Parent Proxy - Squid)<->  (Parent
>> Proxy - Websense)
>>
>> Both of the Squid proxies are running squid-2.7.STABLE8 on Windows
>> Server 2003 SP2 boxes.
>>
>> Config file for user facing proxy (Stripped to bare essentials for
>> troubleshooting):
>>
>> ------------------------------------------------------------------------------------------------------------------
>> cache_peer parentproxy.mydomain.co.uk parent 8082 0 login=PASS
>> connection-auth=on
>> append_domain .mydomain.co.uk
>>
>> acl all src all
>> acl localdomain dstdomain .mydomain.co.uk
>> acl localip dst 10.0.0.0/8
>>
>> always_direct allow localdomain
>> always_direct allow localip
>> never_direct allow all
>> http_access allow all
>>
>> -------------------------------------------------------------------------------------------------------------------
>>
>> When trying to access intranet.mydomain.co.uk I would expect Squid to
>> match this request with the first, and if not the second, of the
>> always_direct access lists and connect directly to the internal web
>> server, presenting me with my companies main intranet page. Instead I
>> am presented with a Websense "Page cannot be displayed" error,
>> indicating that the request was in fact forwarded to the Squid parent
>> proxy and then on to Websense.
>>
>> As you may have guessed I am new to Squid, and to Proxy servers in
>> general. If anyone can provide advice regarding where I have went
>> wrong with my configuration or which debug sections would best help me
>> to understand how requests are being processed by Squid your
>> assistance would be greatly appreciated.
>
>
> That first line should be matching. IIRC "debug_options 28,3 44,3" will tell
> you what is going on.
>
>
> You could also use these this instead of your never_direct line:
>
>  cache_peer_access parentproxy.mydomain.co.uk deny localdomain
>  cache_peer_access parentproxy.mydomain.co.uk deny localip
>  never_direct allow !localdomain !localip
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.9
>  Beta testers wanted for 3.2.0.3
>
Received on Thu Nov 18 2010 - 17:02:19 MST