RE: [squid-users] ACL processing in Squid 3.2 from Jenny Lee on 2012-08-18 (squid-users)

From: Jenny Lee <bodycare_5_at_live.com>
Date: Sat, 18 Aug 2012 17:50:49 +0000

Apologies for top posting, from Squid FAQs:
"Certain types of requests cannot be cached or are served faster going direct, and Squid is optimized to send them over direct connections by default. The nonhierarchical_direct off directive tells Squid to send these requests via the parent anyway."
I wonder if anyone can ever understand something from this.
An FAQ entry to specifically mention HTTPS/CONNECT, and solution of "nonhierarchical_direct off" is necessary since this is being asked once a week.
Jenny

> nonhierarchical_direct off
> Jenny
>
> > Date: Sat, 18 Aug 2012 18:31:14 +0100
> > From: a.farr_at_ntlworld.com
> > To: squid-users_at_squid-cache.org
> > Subject: [squid-users] ACL processing in Squid 3.2
> >
> > I may be missing something here, but it looks like ACL processing is
> > broken for at least some HTTPS requests in 3.2.
> >
> > Example configuration:
> >
> > acl useparent dstdomain domain.com
> >
> > cache_peer 172.25.2.70 parent 8080 0 no-query name=parent01
> > connection-auth=off
> >
> > cache_peer_access parent01 allow useparent
> > cache_peer_access parent01 deny all
> >
> > # Included to see if it made any difference
> > always_direct deny useparent
> > always_direct allow all
> >
> > Access over HTTP goes to the parent as expected, but HTTPS assess does not:
> >
> > 1345310649.623 644 10.0.0.1 TCP_MISS/200 8055 GET
> > http://www.domain.com/ - FIRSTUP_PARENT/172.25.2.70 text/html
> > 1345310544.835 8536 10.0.0.1 TCP_MISS/200 3580 CONNECT
> > www.domain.com:443 - HIER_DIRECT/172.25.2.34 -
> >
> > Also tried adding:
> > cache_peer_access parent01 allow CONNECT useparent
> > but it made no difference.
> >
> > Build options:
> > Squid Cache: Version 3.2.1
> > configure options: '--prefix=/usr/local/squid'
> > '--infodir=/usr/local/info' '--mandir=/usr/local/man'
> > '--enable-async-io' '--enable-removal-policies=heap,lru'
> > '--disable-wccp' '--disable-wccpv2' '--disable-ident-lookups'
> > '--enable-linux-netfilter' '--with-large-files' '--disable-snmp'
> > '--disable-htcp' '--disable-ipv6' 'CFLAGS=-pipe -Wall -O2
> > -fomit-frame-pointer -march=native -s' 'CXXFLAGS=-pipe -Wall -O2
> > -fomit-frame-pointer -march=native -s'
> > 'PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:/usr/lib64/pkgconfig'
> >
> > Any suggestions, or this a bug in 3.2?
> >
> > Andrew
> >
> >
Received on Sat Aug 18 2012 - 17:50:56 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 18 2012 - 12:00:03 MDT