Re: [squid-users] multiple http_port names from errno on 2011-06-10 (squid-users)

From: errno <errno_at_cox.net>
Date: Fri, 10 Jun 2011 02:20:49 -0700

On Friday, June 10, 2011 12:07:49 AM Amos Jeffries wrote:
> On 10/06/11 09:34, errno wrote:
> > I've got squid conf that looks a bit like the following snippet:
> >
> > # ...
> > acl ip-192.168.1.2 myip 192.168.1.2
> >
> > http_port 192.168.1.2:80 name=ip-192.168.1.2
> > http_port 192.168.1.2:8080 name=ip-192.168.1.2
> >
> > tcp_outgoing_address 192.168.1.2 ip-192.168.1
> > # ...
> >
> >
> > Question: do those http_port directives need to have
> > unique 'name=' entries?
>
> unique.
>
> > Or can they all share the
> > same name? Also - and perhaps more importantly,
> > is there any similar(ish) problems with the way I've
> > named the 'myip' acl the same as the http_port names?
>
> myip is at the mercy of the interception lookups.
>
> myportname only depends on what you put in squid.conf and which actual
> listening port the traffic arrives on.
>

Well one thing that occurred is that I at first was using
myportname rather than myip for the acl in question -
but when doing so, all traffic appeared to be comming
from the server's primary ip addr (in this case, 192.168.1.1)
rather than what I intended as specified by tcp_outgoing_address -
in other words, the following (with a bit more config added for
context):

# ...
# 192.168.1.2
acl ip-192.168.1.2 myportname ip-192.168.1.2
http_port 192.168.1.2:80 name=ip-192.168.1.2
http_port 192.168.1.2:8080 name=ip-192.168.1.2
tcp_outgoing_address 192.168.1.2 ip-192.168.1.2

# 192.168.2.2
acl ip-192.168.2.2 myportname ip-192.168.2.2
http_port 192.168.2.2:80 name=ip-192.168.2.2
http_port 192.168.2.2:8080 name=ip-192.168.2.2
tcp_outgoing_address 192.168.2.2 ip-192.168.2.2
# ...

Using the above, tcp_outgoing_address did not work as
expected/intended: using a tool such as http://www.whatismyip.com/ ,
showed 192.168.1.1 in all cases, regardless of which
http_port/myportname the client originated from.

Switching from the above, to:

# ...
# 192.168.1.2
acl ip-192.168.1.2 myip 192.168.1.2
http_port 192.168.1.2:80 name=ip-192.168.1.2
http_port 192.168.1.2:8080 name=ip-192.168.1.2
tcp_outgoing_address 192.168.1.2 ip-192.168.1.2

# 192.168.2.2
acl ip-192.168.2.2 myip 192.168.2.2
http_port 192.168.2.2:80 name=ip-192.168.2.2
http_port 192.168.2.2:8080 name=ip-192.168.2.2
tcp_outgoing_address 192.168.2.2 ip-192.168.2.2
# ...

... behaved as intended: when clients went through
the http_port listener 192.168.2.2:80, the tcp_outgoing_address
worked as expected, wherein http://www.whatismyip.com
displayed 192.168.2.2 rather than 192.168.1.1.

Hope that makes sense; to rephrase/summarize:

* squid server's main/primary IP: 192.168.1.1

* one instance of squid running;

* the single instance listening on multiple <ip>:<port> http_ports:
192.168.1.2:80, 192.168.1.2:8080, 192.168.1.2:80 and
192.168.1.2:8080

results:

~ first example, using:
acl ip-192.168.1.2 myportname ip-192.168.1.2
and:
acl ip-192.168.2.2 myportname 192.168.2.2
... all cache traffic was detected as originating from server's
main/primary ip: 192.168.1.1 - and not from the specified
tcp_outgoing_address

~ BUT, second example, using:
acl ip-192.168.1.2 myip 192.168.1.2
and:
acl ip-192.168.2.2 myip 192.168.2.2
... all cache traffic was this time detected as originating
from the specified tcp_outgoing_address, as intended,
rather than from the squid server instances primary
ip addr (192.168.1.1).

So, something in the difference between:

# ...
acl ip-192.168.1.2 myportname ip-192.168.1.2
http_port 192.168.1.2:80 name=ip-192.168.1.2
http_port 192.168.1.2:8080 name=ip-192.168.1.2
tcp_outgoing_address 192.168.1.2 ip-192.168.1.2
#...

and:

# ...
#
# don't work:
#acl ip-192.168.1.2 myportname ip-192.168.1.2
#
# works as expected/intended:
acl ip-192.168.1.2 myip 192.168.1.2
#
http_port 192.168.1.2:80 name=ip-192.168.1.2
http_port 192.168.1.2:8080 name=ip-192.168.1.2

tcp_outgoing_address 192.168.1.2 ip-192.168.1.2
#...

I'd like to understand what's going on, but the docs
I've read are not supplying any real information on
the matter.

( and as an additional piece of info; with the second
working-as-intended example, I did not need to set
server_persistent_connections to 'off', like the default
squid conf suggests:

# TAG: tcp_outgoing_address
# Allows you to map requests to different outgoing IP addresses
# based on the username or source address of the user making
# the request.
#
# tcp_outgoing_address ipaddr [[!]aclname] ...
# [ ... ]
# Note: The use of this directive using client dependent ACLs is
# incompatible with the use of server side persistent connections. To
# ensure correct results it is best to set server_persistent_connections
# to off when using this directive in such configurations.

Basically, I have one instance of squid that is listening on multiple
ip:port http_port directives, and I want the tcp_outgoing_address
for each ip to properly reflect the ip that the cache request came in on.
Received on Fri Jun 10 2011 - 09:22:26 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 10 2011 - 12:00:01 MDT