RE: [squid-users] Question about 'default' option for cache_peer

From: Chris Robertson <[email protected]>
Date: Thu, 2 Feb 2006 08:45:13 -0900

> -----Original Message-----
> From: Joost de Heer [mailto:sanguis@xs4all.nl]
> Sent: Thursday, February 02, 2006 3:45 AM
> To: Kinkie
> Cc: sanguis@xs4all.nl; squid-users@squid-cache.org
> Subject: Re: [squid-users] Question about 'default' option for
> cache_peer
>
>
> Kinkie wrote:
> > On Thu, 2006-02-02 at 09:21 +0100, Joost de Heer wrote:
> >> Hello,
> >>
> >> How does the 'default' keyword for cache_peer work exactly?
> >
> > Does this answer your question?
> >
> http://squidwiki.kinkie.it/SquidFaq/TroubleShooting#head-36aed
> ae8f2cc4943850c22bdbff2e781c76ce2f6
> >
> > Kinkie
>
> What I want to do (and I don't find this answered in the FAQ):
>
> never_direct allow all
>
> cache_peer IP1 parent 8080 0 no-query default
> cache_peer IP2 parent 8080 0 no-query
> cache_peer IP3 parent 8080 0 no-query default
> cache_peer IP4 parent 8080 0 no-query
>
> acl http proto http
> acl https method CONNECT
> acl all src 0.0.0.0/0.0.0.0
>
> cache_peer_access allow IP1 http
> cache_peer_access deny IP1 all
> cache_peer_access allow IP2 http
> cache_peer_access deny IP2 all
> cache_peer_access allow IP3 https
> cache_peer_access deny IP3 all
> cache_peer_access allow IP4 https
> cache_peer_access deny all
>
> I.e. IP1 is default server for http traffic, and IP2 should
> only be used
> when IP1 isn't available, and IP3 is default for https, and IP4 should
> only be used if IP3 isn't available.
>
> Joost
>
>

From a quick test, that setup (with properly formatted cache_peer_access lines ;) ) will likely work as expected for HTTP traffic, but will not allow failover for HTTPS*.

Testing method:

cache_peer DNS-of-proxy1 parent 8080 7 no-query default
cache_peer ip-of-proxy1 parent 8080 7 no-query
cache_peer DNS-of-proxy2 parent 8080 7 no-query default
cache_peer ip-of-proxy2 parent 8080 7 no-query

acl http proto http
acl https method CONNECT
acl all src 0.0.0.0/0.0.0.0

cache_peer_access DNS-of-proxy1 allow http
cache_peer_access DNS-of-proxy1 deny all
cache_peer_access ip-of-proxy2 allow http
cache_peer_access ip-of-proxy2 deny all
cache_peer_access DNS-of-proxy2 allow https
cache_peer_access DNS-of-proxy2 deny all
cache_peer_access ip-of-proxy1 allow https
cache_peer_access ip-of-proxy1 deny all

Normal result:

1138901882.310 70 myIP TCP_MISS/200 1644 GET http://www.google.com/ - DEFAULT_PARENT/DNS-of-proxy1 text/html
1138901882.545 234 myIP TCP_CLIENT_REFRESH_MISS/200 8922 GET http://www.google.com/intl/en/images/logo.gif - DEFAULT_PARENT/DNS-of-proxy1 image/gif
1138901887.503 409 myIP TCP_MISS/000 19446 CONNECT www.wellsfargo.com:443 - DEFAULT_PARENT/DNS-of-proxy2 -

Result with access to proxy1 denied by firewall output rule:

1138901941.860 9752 myIP TCP_MISS/200 1644 GET http://www.google.com/ - ANY_PARENT/IP-of-proxy2 text/html
1138901942.081 221 myIP TCP_CLIENT_REFRESH_MISS/200 8922 GET http://www.google.com/intl/en/images/logo.gif - ANY_PARENT/IP-of-proxy2 image/gif
1138901948.523 612 myIP TCP_MISS/000 19440 CONNECT www.wellsfargo.com:443 - DEFAULT_PARENT/DNS-of-proxy2 -

Result with access to proxy2 denied by firewall output rule:

1138901995.241 90 myIP TCP_MISS/200 1646 GET http://www.google.com/ - DEFAULT_PARENT/DNS-of-proxy1 text/html
1138901995.409 168 myIP TCP_CLIENT_REFRESH_MISS/200 8922 GET http://www.google.com/intl/en/images/logo.gif - DEFAULT_PARENT/DNS-of-proxy1 image/gif
1138901999.323 2 myIP TCP_MISS/503 0 CONNECT www.wellsfargo.com:443 - DEFAULT_PARENT/DNS-of-proxy2 -

Note that adding the "default" keyword to all cache_peer lines had no effect on the test. CONNECT failover was not achieved.

Chris

*Results may differ with four different IP addresses.
Received on Thu Feb 02 2006 - 10:45:32 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST