Re: [squid-users] prevent squid from "temporarily disabling (...) digest" ? from Amos Jeffries on 2011-10-02 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 03 Oct 2011 17:20:23 +1300

On 27/09/11 15:45, Dale Mahalko wrote:
> Environment:
> pfSense 1.2.3-Release
> Squid 2.7.9_4.1
>
> I am using squid as a local access-logging front-end, to another
> remote proxy which acts as a content filter on which I don't have
> reporting/logging access.
>
> If I specify the remote proxy and port in the web browser, I just get
> a blank "can't connect" error for HTTPS addresses. It is blocking the
> site, as expected.

Well, HTTPS in proxy formatted HTTP requests is called "CONNECT". The
thing to be aware of is that this will *only* show up if the browser is
configured to use a proxy (ie your Squid).

Second thing is that CONNECT requests are normally not sent to peer
proxies. You have to set "nonhierarchical_direct off" to make CONNECT
and POST go to peers.

>
> But when squid is used, the access.log contains a long string of all
> "TCP_DENIED" or "TCP_MISS" messages, but the blocked page loads
> anyway.
>
> Checking the cache.log there is a message "Temporarily disabling (Not
> Found) digest from proxy.foo.com:8888"

This is unrelated. Simply means the peer is not willing or able to share
a cache digest with your Squid. Add "no-digest" to its cache_peer line
to silence these.

>
> it appears squid is quietly saying "fine, I will go direct and
> retrieve the data anyway".

Exactly.

>
> The directive never_direct doesn't do anything for this:
> never_direct deny all

You misunderstand never_direct. (its a bit of a twisted double-negative
directive).

"allow" is the only value with active meaning on never_direct.
"deny" is simply a way to avoid/bypass some following "allow" lines
from having affect. It equates to "maybe go direct" in never_direct.

>
> I need squid to just simply give up and stop trying to access the
> blocked site, if the upstream parent won't provide the content.

I think you need:

# send CONNECT (https://) and POST through the peer.
nonhierarchical_direct off

# prevent Squid going direct if the peer denies.
never_direct allow all

.. and make sure the cache_peer line has type "parent" for the peer.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.12

Received on Mon Oct 03 2011 - 04:20:28 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 05 2011 - 12:00:02 MDT