Ah... I found out the problem (as to Access Denied)...
Somehow I've forgotten to include ProxyC in an http_access statement in
ProxyA...
All is well now...
Thanks for your kind assistance, Amos! :-)
Rgds
[p]
Amos Jeffries wrote:
> Pandu E Poluan wrote:
>> Without "allow-miss", I get the error:
>>
>> *Valid document was not found in the cache and only-if-cached
>> directive was specified.*
>
> Okay, bet use it then. Should be safe enough in your setup.
>
> Amos
>
>>
>> Strangely, doing the same on ProxyC causes an "Access Denied" error...
>>
>> Rgds
>>
>> [p]
>>
>> Amos Jeffries wrote:
>>> Pandu E Poluan wrote:
>>>> Okay, some experimentations I made:
>>>>
>>>> I added the following lines on ProxyB:
>>>>
>>>> # lines from Amos' tip
>>>> acl fastsites dstdomain .need-fast-inet.com
>>>> acl fastsites dstdomain .another-need-fast-inet.com
>>>> never_direct allow fastsites
>>>>
>>>> Changes on ProxyA:
>>>>
>>>> # lines from Amos' tip
>>>> acl fastsites dstdomain .need-fast-inet.com
>>>> acl fastsites dstdomain .another-need-fast-inet.com
>>>> # also from Amos' tip
>>>> miss_access allow fastsites
>>>> miss_access deny siblings
>>>> miss_access allow all
>>>> # and this one from Amos' tip
>>>> always_direct allow fastsites
>>>>
>>>> My browser can't access .need-fast-inet.com
>>>>
>>>> I further changed the following lines to ProxyB:
>>>>
>>>> # added "weight=2 allow-miss"
>>>> cache_peer ProxyA sibling 3128 4827 htcp weight=2 allow-miss
>>>> # added the following line
>>>> neighbor_type_domain ProxyA parent .need-fast-inet.com
>>>> .another-need-fast-inet.com
>>>>
>>>> Now, I can access .need-fast-inet.com through ProxyB.
>>>>
>>>> But, isn't that "allow-miss" dangerous?
>>>>
>>>> Any comments?
>>>>
>>>
>>> It's dangerous to use it widely. And particularly on both ends of
>>> the peering link (ie DONT place it in proxyA config for proxyB/C).
>>>
>>> It's safe to do on a one-way link. The miss_access controls you have
>>> in place at each of your Squid perform explicitly the same actions.
>>> So AFAIK you should not hit any of the loop cases that may occur.
>>>
>>> Test without the 'allow-miss' option though. I believe the setting
>>> neighbor_type_domain disables it more specifically for the objectX
>>> requests via the change to parent link.
>>>
>>> Amos
>>>
>>>>
>>>> Rgds.
>>>>
>>>>
>>>> [p]
>>>>
>>>>
>>>> Pandu E Poluan wrote:
>>>>> Hmmm... strange...
>>>>>
>>>>> Now, instead of accessing the site objectX, ProxyB and ProxyC
>>>>> users can't access the site at all...
>>>>>
>>>>> But no SQUID error page shows up... the browser simply times
>>>>> out... Accessing URLs other thatn objectX still works...
>>>>>
>>>>> objectX is accessible via ProxyA, though.
>>>>>
>>>>> The changes I made currently:
>>>>>
>>>>> On ProxyA:
>>>>>
>>>>> acl objectX dstdomain ...
>>>>> miss_access allow objectX
>>>>> always_direct allow objectX
>>>>>
>>>>> On ProxyB/C:
>>>>>
>>>>> acl objectX dstdomain ...
>>>>> never_direct allow objectX
>>>>>
>>>>> I'll experiment with the settings... maybe also "miss_access allow
>>>>> objectX" on ProxyB and ProxyC?
>>>>>
>>>>>
>>>>> Rgds.
>>>>>
>>>>>
>>>>>
>>>>> Pandu E Poluan wrote:
>>>>>> Aha! Thanks a lot, Amos :-)
>>>>>>
>>>>>> I have been suspicious all along that the solution uses
>>>>>> miss_access and never_direct ... but never saw an example anywhere.
>>>>>>
>>>>>> Again, much thanks!
>>>>>>
>>>>>> ** rushes to his proxies to configure them **
>>>>>>
>>>>>>
>>>>>> Rgds.
>>>>>>
>>>>>>
>>>>>> [p]
>>>>>>
>>>>>>
>>>>>> Amos Jeffries wrote:
>>>>>>> Pandu E Poluan wrote:
>>>>>>>> The URL is allowed to be accessed by everyone, ProxyA-users,
>>>>>>>> and ProxyB/C-users alike.
>>>>>>>>
>>>>>>>> I just want the URL to be retrieved by ProxyA, because
>>>>>>>> accessing that certain URL through ProxyB/C is too damn slow
>>>>>>>> (pardon the language).
>>>>>>>>
>>>>>>>>
>>>>>>>> Rgds.
>>>>>>>>
>>>>>>>
>>>>>>> Okay. Thought it might be something like that, just wanted to be
>>>>>>> sure before fuzzing the issue.
>>>>>>>
>>>>>>> You will need to create an ACL just for this URL (an others you
>>>>>>> want to do the same).
>>>>>>> acl objectX ...
>>>>>>>
>>>>>>>
>>>>>>> proxyA needs to allow peers past the miss_access block.
>>>>>>>
>>>>>>> proxyA:
>>>>>>> miss_access allow objectX
>>>>>>> miss_access deny siblings
>>>>>>> miss_access allow all
>>>>>>>
>>>>>>>
>>>>>>> siblings must never go direct to the object (always use their
>>>>>>> parent peer)
>>>>>>>
>>>>>>> proxyB/proxyC:
>>>>>>> never_direct allow objectX
>>>>>>>
>>>>>>> Amos
>>>>>>>
>>>>>>>>
>>>>>>>> Amos Jeffries wrote:
>>>>>>>>> Pandu E Poluan wrote:
>>>>>>>>>> Anyone care to comment on my email?
>>>>>>>>>>
>>>>>>>>>> And another question: Is it possible to use miss_access with
>>>>>>>>>> a dstdomain acl?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rgds.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Pandu E Poluan wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I want to know is there a way to force a URL to be retrieved
>>>>>>>>>>> by only a certain proxy, while ensuring that meshing works.
>>>>>>>>>>>
>>>>>>>>>>> Here's the scenario:
>>>>>>>>>>>
>>>>>>>>>>> I have a ProxyA ==> connects to Internet via a fast
>>>>>>>>>>> connection "InetFast"
>>>>>>>>>>> This proxy is used by a group of users that really need fast
>>>>>>>>>>> connection.
>>>>>>>>>>>
>>>>>>>>>>> I have other proxies ProxyB & ProxyC ==> connects to
>>>>>>>>>>> Internet via a slower connection "InetSlow"
>>>>>>>>>>> These proxies are used by the rest of the staff.
>>>>>>>>>>>
>>>>>>>>>>> I configured them all as siblings, with miss_access blocking
>>>>>>>>>>> MISS requests between them, e.g.
>>>>>>>>>>>
>>>>>>>>>>> # Configuration snippet of ProxyA
>>>>>>>>>>> cache_peer <ProxyB> sibling 3128 4827 htcp
>>>>>>>>>>> cache_peer <ProxyC> sibling 3128 4827 htcp
>>>>>>>>>>> acl siblings src <ProxyB>
>>>>>>>>>>> acl siblings src <ProxyC>
>>>>>>>>>>> miss_access deny siblings
>>>>>>>>>>> miss_access allow all
>>>>>>>>>>>
>>>>>>>>>>> ProxyB & ProxyC both has similar config.
>>>>>>>>>>>
>>>>>>>>>>> ( The aim is to 'assist' other staffers using InetSlow so
>>>>>>>>>>> that whatever has been retrieved by the InetFast users will
>>>>>>>>>>> be made available to the rest of the staffs )
>>>>>>>>>>>
>>>>>>>>>>> Now, let's say there's this URL
>>>>>>>>>>> http://www.need-fast-inet.com/ that I want to be retrieved
>>>>>>>>>>> exclusively by ProxyA.
>>>>>>>>>>>
>>>>>>>>>>> How would I configure the peering relationships?
>>>>>>>>>
>>>>>>>>> If you can state the problem and the desired setup clearly in
>>>>>>>>> single-sentence steps you have usually described the
>>>>>>>>> individual config settings needed.
>>>>>>>>>
>>>>>>>>> Is the URL allowed to be fetched by the slow users through
>>>>>>>>> proxyB into proxy A and then internet?
>>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Amos
>>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>
-- *Pandu E Poluan* *Panin Sekuritas* IT Manager / Operations & Audit Phone : +62-21-515-3055 ext 135 Fax : +62-21-515-3061 Mobile : +62-856-8400-426 e-mail : pandu_poluan_at_paninsekuritas.co.id <mailto:pandu_poluan_at_paninsekuritas.co.id> Y!M : hands0me_irc MSN : si-ganteng_at_live.com GTalk : pandu.cakep_at_gmail.comReceived on Wed Apr 08 2009 - 08:03:04 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 08 2009 - 12:00:02 MDT