Re: [squid-users] redirecting

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 11 Apr 2013 21:52:50 +1200

On 10/04/2013 11:59 p.m., folkert wrote:
> Hi,
>
> I'm trying to get the following to work:
>
> - all requests must go to the redirect_program.z after the request went
> through the redirect program:
> - all requests must be forwarder to proxy A
> - UNLESS they are to 172.19.0.0/16 or listed in
> /usr/local/etc/squid3-directurls.txt
> - if they are in /usr/local/etc/squid3-directurls.txt they must be
> forwarded to proxy B
> - if they are to 172.19.0.0/16 they must go to directly to the
> destination (172.19.0.1:8008 mostly)
>
> I tried the following:
>
> acl ir_ah dst 172.19.0.0/16
>
> redirector_access deny ir_ah

BUT your policy statement said ... "all requests must go to the
redirect_program."

> redirect_program /usr/local/bin/ir
> always_direct allow ir_ah
> always_direct deny all

"if they are to 172.19.0.0/16 they must go to directly to the destination "
Okay. That is *kind* of working. If any one of teh URL domains IP
addresses is in the 172.19.0.0/16 range the request will go direct even
if the IP picked is not in that range. So be Careful.

> cache_peer A parent 8123 0 default
> cache_peer B parent 8080 0
>
> acl allowed_servers dstdomain "/usr/local/etc/squid3-directurls.txt"
> cache_peer_access A deny allowed_servers
> cache_peer_access A deny ir_ah
> cache_peer_access A allow all

"all requests must be forwarder to proxy A - UNLESS they are to
172.19.0.0/16 or listed in /usr/local/etc/squid3-directurls.txt "

OKAY. That is configured.

> cache_peer_access B deny ir_ah
> cache_peer_access B allow all

"if they are in /usr/local/etc/squid3-directurls.txt they must be
forwarded to proxy B "

BROKEN. All the config says is any request which does not match ir_ah
will be directed to proxy B.
You need that to be:
   cache_peer_access B allow allowed_servers
   cache_peer_access B deny all

> What works:
> - all request initially go to the redirect_program, it then allows them
> to be processed
> - BUT: after the redirect_program acks them, it sends the user back to
> the redirect_program!
>
> What I see is that Squid sends requests to 172.19.0.1 via its redirector
> while it should go straight through to 172.19.0.1.
> How can I fix this?

Um, this matches your policy statements about what you wanted to happen.
But does not match what the config says should be happening.

In order for this to happen the "dst" ACL when applied to the client
original URL domain needs to be producing something other than a
172.19.0.0/16 IP address.
Note that this ACL does not match against the output of the redirector.

I'm not sure what needs to be done to make it more predictable. Avoiding
"dst" type when possible is a good idea.

The other thing to look at is *how* the redirector is "ACKing" the URL.
A proper redirect is just a referral to another location, the client
will followup with another request. This could be what you are seeing.
Otherwise the only way I can think of you could get double helper
lookups like this is forwarding loops somewhere causing the transaction
to re-enter Squid.

Amos
Received on Thu Apr 11 2013 - 09:53:05 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 11 2013 - 12:00:03 MDT