Re: [squid-users] Proxy-Chaining

From: Dr. Michael Weller <eowmob@dont-contact.us>
Date: Mon, 16 Feb 2004 12:14:35 +0100 (MEZ)

On Sat, 14 Feb 2004, Duane Wessels wrote:

> > I tried to build a proxy chain with
> >
> > cache_peer
> > and
> > cache_peer_access
> > as well using:
> > always_direct deny
> > never_direct allow
> >
> > Now, normal operation seems to work like this:
> >
> > client <-> squid1 <-> squid2 <-> target-net
>
> You proably shouldn't mix always_direct and never_direct.
> On squid1 you should probably only put:
>
> never_direct allow all

While mixing both directives seems superfluous and don't know right now
which one takes precedence, it shouldn't do any harm though.

You didn't tell how you defined the cache_peers. It might be a problem
with ICP protocol between the caches involved or something else. If your
setup above is the only way for this to work, you should turn ofg ICP
anyway and just use a 'defaul' or 'standard' cache.

> > Only thing that doesn't seem to work: Any POST seems to be ignored (by
> > proxy1, probably).

Just a guess: The default setting for the maximum size of http requests,
ak posts, seems small in squid. I always have to increase it. The default
seems to be big enough for small forms.. but nowayadays...

AFAIK, there is no way to block POSTS alone by acls, so the problem should
be elsewhere, but I might be mistaken.

> You need to explain what you mean by ignored. Be as specific as possible.
Yup.

> > Also, I'm not sure how to handle SSL, (CONNECT). This must return DIRECT,
> > which actually must bypass both squids. Am I right here?

No, in principle, each proxy can forward the connects until the last makes
the final target connection. The 'all' in your acls above will include
CONNECT.

If it makes sense to forward the connects is a different thing. The
traffic is not cached, so in principle the clients can connect right away.
But for security it might be better to have some control about client
connections, and routing etc. might require to go through the proxy. For
some browsers, however, you have to specify https goes to the proxy too.
 
> You need to either configure your clients to forward SSL requests to
> squid1, or configure your firewall to allow SSL traffic to pass
> through directly.
Yes.

Michael.

--
Michael Weller: eowmob@exp-math.uni-essen.de.
Received on Mon Feb 16 2004 - 04:14:39 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST