Re: [squid-users] Proxy-Chaining

This is a discussion on Re: [squid-users] Proxy-Chaining within the Squid Users forums, part of the Web Server and Related Forums category; On Sat, 14 Feb 2004, Duane Wessels wrote: > > I tried to build a proxy chain with > > &...


Go Back   Usenet Forums > Web Server and Related Forums > Squid Users

Reload this Page Re: [squid-users] Proxy-Chaining

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-16-2004
Dr. Michael Weller
 
Posts: n/a
Default Re: [squid-users] Proxy-Chaining
On Sat, 14 Feb 2004, Duane Wessels wrote:

> > I tried to build a proxy chain with
> >
> > cache_peer
> > and
> > cache_peer_access
> > as well using:
> > always_direct deny
> > never_direct allow
> >
> > Now, normal operation seems to work like this:
> >
> > client <-> squid1 <-> squid2 <-> target-net
>
> You proably shouldn't mix always_direct and never_direct.
> On squid1 you should probably only put:
>
> never_direct allow all

While mixing both directives seems superfluous and don't know right now
which one takes precedence, it shouldn't do any harm though.

You didn't tell how you defined the cache_peers. It might be a problem
with ICP protocol between the caches involved or something else. If your
setup above is the only way for this to work, you should turn ofg ICP
anyway and just use a 'defaul' or 'standard' cache.

> > Only thing that doesn't seem to work: Any POST seems to be ignored (by
> > proxy1, probably).

Just a guess: The default setting for the maximum size of http requests,
ak posts, seems small in squid. I always have to increase it. The default
seems to be big enough for small forms.. but nowayadays...

AFAIK, there is no way to block POSTS alone by acls, so the problem should
be elsewhere, but I might be mistaken.

> You need to explain what you mean by ignored. Be as specific as possible.
Yup.

> > Also, I'm not sure how to handle SSL, (CONNECT). This must return DIRECT,
> > which actually must bypass both squids. Am I right here?

No, in principle, each proxy can forward the connects until the last makes
the final target connection. The 'all' in your acls above will include
CONNECT.

If it makes sense to forward the connects is a different thing. The
traffic is not cached, so in principle the clients can connect right away.
But for security it might be better to have some control about client
connections, and routing etc. might require to go through the proxy. For
some browsers, however, you have to specify https goes to the proxy too.

> You need to either configure your clients to forward SSL requests to
> squid1, or configure your firewall to allow SSL traffic to pass
> through directly.
Yes.

Michael.

--

Michael Weller: eowmob@exp-math.uni-essen.de.

Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 12:23 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0