Re: [squid-users] cache_peer_access - no longer working as expected

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 24 Jul 2014 19:49:43 +1200

On 23/07/2014 1:16 p.m., Matthew Croall wrote:
> Hi,
>
> Long time Squid user, first time posting so I hope I am doing this correctly.
>
> Having recently upgraded Squid from 3.1 to 3.3 at both organisations I
> support, I have noticed that cache_peer selection doesn't seem to obey
> cache_peer_access anymore.
>
> Squid Cache: Version 3.3.8
> Ubuntu
> configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
> '--srcdir=.' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--disable-silent-rules'
> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
> '--enable-storeio=ufs,aufs,diskd,rock'
> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
> '--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
> '--enable-follow-x-forwarded-for'
> '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
> '--enable-auth-digest=file,LDAP'
> '--enable-auth-negotiate=kerberos,wrapper'
> '--enable-auth-ntlm=fake,smb_lm'
> '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
> '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
> '--enable-icmp' '--enable-zph-qos' '--enable-ecap'
> '--disable-translation' '--with-swapdir=/var/spool/squid3'
> '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
> '--with-filedescriptors=65536' '--with-large-files'
> '--with-default-user=proxy' '--enable-linux-netfilter'
> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
> 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
> 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE
> -fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security'
>
> Config extract:
> # No Authentication
> cache_peer 10.60.184.47 parent 8080 0 no-digest no-query
> name=minimum_filtering login=user:secret
> cache_peer_access minimum_filtering allow trusted_computers
> cache_peer_access minimum_filtering allow admin_subnet
> cache_peer_access minimum_filtering deny all
>
> # Requires Authentication
> cache_peer 10.60.184.47 parent 8080 0 no-query no-digest
> name=regular_filtering login=PASS
> cache_peer_access regular_filtering deny trusted_computers
> cache_peer_access regular_filtering deny admin_subnet
> cache_peer_access regular_filtering allow all
>
> Prior any trusted computer or anyone from the admin subnet would not
> get a http basic auth logon box and would always pass through the
> minimum_filtering peer. Since upgrading users from all over the place
> and myself are now getting logon boxes every now and then, it just
> seems like it is just load balancing and ignoring the
> cache_peer_access controls.
>
> Has anyone else experienced this? Any help at all would be greatly appreciated!

You are the first to report an issue of this type IIRC. There are a
couple of traffic handling behaviours changed between those series of
Squid which may be relevant. So...

 What does the rest of your squid.conf contain?
 Any sign of issues in cache.log?
  (perhapse with "debug_options ALL,1")

Amos
Received on Thu Jul 24 2014 - 07:50:01 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 24 2014 - 12:00:05 MDT