On 27/05/11 02:36, Stephan Hügel wrote:
>> Squid-2.x is not being maintained.
>> Squid-3.1.12 and later releases have the fix.
>
> OK, I've built and installed Squid 3.1.12, run squid3 -k parse, and removed the
> 'acl all src all' and 'upgrade_http0.9 deny shoutcast' entries, as
> these were causing errors. Conf is now:
>
>
> # acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl localnet src 10.10.10.0/24 # RFC1918 possible internal networkacl
> SSL_ports port 443 # https
> acl SSL_ports port 563 # snewsacl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> icp_access allow localnet
> icp_access deny all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> refresh_pattern . 0 20% 4320
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
> # upgrade_http0.9 deny shoutcast
> acl apache rep_header Server ^Apache
> # broken_vary_encoding allow apache
> hosts_file /etc/hosts
> cache_peer [domain.com ip] parent 443 0 originserver ssl
> sslcert=/etc/squid/certs/ccp.pem name=AB
> acl site dstdomain [www.domain.com]
> cache_peer_access AB allow site
> never_direct allow site
> http_access allow localnet
> icp_access allow localnet
>
>
> However, when I look at access.log now, I'm seeing the following:
> TCP_MISS/200 5223 CONNECT [domain.com]:443 - DIRECT/xxx.xxx.xxx.xx -
>
> Whereas with Squid 2 I was seeing:
> TCP_MISS/000 307 CONNECT [domain.com]:443 - FIRST_UP_PARENT/AB -
>
> Is there a difference in the way Squid 3 matches the 'site' dstdomain
> entry and calls the AB cache_peer address?
Is xxx.xxx.xxx.xx the IPs of the peer? or some other place in public DNS?
FYI: We fixed the handshake bug by opening a socket to the peer then if
the peer was an origin with the right port number, passing the socket to
the DIRECT packet handling code for the SSL handshake. It's possible
that code set "DIRECT" flag on the request for logging. Or that peer
selection is still blocking the origin peer somehow despite the port match.
(The 200 status change is a separate bug fix)
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1Received on Thu May 26 2011 - 15:44:57 MDT
This archive was generated by hypermail 2.2.0 : Thu May 26 2011 - 12:00:03 MDT