We have two caches A and B far away from each other and managing different resources.
A has a peer that can reach the internet, B has direct connection to several intranets.
Both of them can access the own intranet.
A uses squid 2.3-stable4, B has 2.4-stable1 (if this matters).
To access the internet a user must authenticate to A, to access external intranets users must authenticate to B. Using the own intranet is free for all users.
All works well for people using A. It accepts any request, handles the own intranet directly, forwards external intranet requests to B and forwards internet requests to the firewall cache (after requesting username/password).
Things are bad on B. B handles direct requests correctly. Own intranet and external intranet (after requesting username/password) requests are handled directly and correctly.
But it refuses to forward Internet requests to A! It does not even try to use the cache_peer but demands that no path is found!
There are two messages logged by B:
1) (happens everytime a request of any type comes in)
WARNING: 'all' ACL is used but there is no HTTP-request -- access denied
( I've checked the source, but cannot find out if this is a real error condition or
if the message is only annoying the operator)
I tried to isolate which acl generates the message. But even after deleting all
references to 'all' the message shows up. If I delete the acl 'all' itself, squid
refuses to start because 'all' is not defined. There must be a reference in the
default config which I don't see.
2) (happens when a request for an internet site comes in)
Failed to select source for '<URL>'
always_direct = -1
never_direct = 0
timedout = 0
So I've checked my always_direct/never_direct directives. They read ok for me, but
even when I deleted them all, the message comes up.
Users get the error page "forwarding denied", but logs on A don't even see a request
coming in from B.
Some points of B's config, maybe someone can see some error:
-------------------------
# don't cache, parent needs authorization!
cache_peer XX.XX.XX parent 3128 3130 default proxy-only
cache_peer_domain XX.XX.XX !.intranet !.extranets
# all adresses
acl alleQuellen src 0.0.0.0/0.0.0.0
acl all dst 0.0.0.0/0.0.0.0
# intranet addresses
acl bgsQuellen src YYY.7.0.0/16 192.168.0.0/16 127.0.0.1/32
acl bgsZiele dst YYY.7.0.0/16 192.168.0.0/16 127.0.0.1/32
acl bgsDomaene dstdomain .XX.XX
# external intranet adresses (called extranets)
acl extranet dst 172.16.0.0/16
acl extrapol dstdomain .extrapol.de
# one external host which needs authorisation
acl InfoServer dst 172.16.XXX.YYY/32
# to request authorisation
acl Abfrage proxy_auth REQUIRED
# flow control (maybe wrong???)
# intranet and external intranets should be handled directy
always_direct allow bgsZiele
always_direct allow bgsDomaene
always_direct allow extranet
always_direct allow extrapol
never_direct deny bgsZiele
never_direct deny bgsDomaene
never_direct deny extrapol
never_direct deny extranet
# internet requests should be forwarded to A
never_direct allow all
always_direct deny all
# A should not try to call me for:
cache_peer_access XX.XX.XX allow extranet
cache_peer_access XX.XX.XX allow extrapol
cache_peer_access XX.XX.XX deny all
#####################################
#the "fun" part
#####################################
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# intranet access without password
http_access allow bgsQuellen bgsZiele
# this host needs special treatment
http_access allow bgsQuellen InfoServer Abfrage
http_access deny InfoServer
# all other extranets are free to surf
http_access allow bgsQuellen extranet extrapol
# the rest (internet) is allowed, password is checked by A
http_access allow bgsQuellen
# sink me (should not happen)
http_access deny all
##################################################################
can someone enlight me???
MAM
Received on Sun Sep 09 2001 - 01:53:39 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:06 MST