Discussion:
[squid-users] Question on Many Clients to Many Proxy Lists
Wire Cutter
2018-11-29 14:57:08 UTC
Permalink
I have an issue with a Squid config I can’t figure out. I’m trying to have
a many (Hosts) to many (Up stream proxies) in a single config

I’ve created 4 ports for clients to talk to, then created ACL lists for
those ports. From there I’ve tried (and failed) to create naming groups
for cacheing peers, then added those to ACLs and it fails. Any ideas?

Here’s a link on what some people have come up with.
https://www.linuxquestions.org/questions/linux-server-73/squid-multiple-ports-multiple-destinations-4175450243/
linuxquestions.org

Squid multiple ports multiple destinations
Hello there, I want to spawn one squid instance on multiple ports (which I
already have). Code: http_port myip:9000 name=first http_port myip:9001
linuxquestions.org

Squid multiple ports multiple destinations
Hello there, I want to spawn one squid instance on multiple ports (which I
already have). Code: http_port myip:9000 name=first http_port myip:9001


Any help would be appreciated
--
Alex Rousskov
2018-11-29 15:44:43 UTC
Permalink
I’ve created 4 ports for clients to talk to, then created ACL lists for
those ports.  From there I’ve tried (and failed) to create naming groups
for cacheing peers, then added those to ACLs and it fails. Any ideas?
Use cache_peer_access to allow http_port X traffic (and only that
traffic) to peer group Y:

# rules for peer group A
cache_peer_access peerA1 allow receivedOnPortForPeersA
cache_peer_access peerA2 allow receivedOnPortForPeersA
cache_peer_access peerA3 allow receivedOnPortForPeersA
...
# rules for peer group B
cache_peer_access peerB1 allow receivedOnPortForPeersB
cache_peer_access peerB2 allow receivedOnPortForPeersB
...


Depending on your traffic and needs, you may also need to allow
non-hierarchical requests to go to peer:

nonhierarchical_direct off

and/or to prohibit direct connections for portX:

never_direct allow receivedOnPortForPeersA
never_direct allow receivedOnPortForPeersB


Once you get this working, please make Squid documentation improvements
that would have allowed you to figure this out on your own.


HTH,

Alex.
Wire Cutter
2018-11-30 18:51:45 UTC
Permalink
So thats exactly what I did.

#Rules for Peer group - list 1
cache_peer_access peerA1 allow port_8080
cache_peer_access peerA2 allow port_8080
cache_peer_access peerA3 allow port_8080
cache_peer_access peerA4 allow port_8080

#cache_peer
cache_peer 192.168.1.2 parent 8800 0 round-robin no-query
name=peerA1
cache_peer 192.168.2.2 parent 8800 0 round-robin no-query
name=peerA2
cache_peer 192.168.2.5 parent 8800 0 round-robin no-query
name=peerA3
cache_peer 192.168.2.6 parent 8800 0 round-robin no-query
name=peerA4

Then this is the error I get when I start the service

Nov 30 18:38:11 ubuntu systemd[1]: Starting LSB: Squid HTTP Proxy version
3.x...
Nov 30 18:38:11 ubuntu squid[13974]: Bungled /etc/squid/squid.conf line
3148: cache_peer_access peerA1 allow port_8080
Nov 30 18:38:11 ubuntu squid[13980]: Bungled /etc/squid/squid.conf line
3148: cache_peer_access peerA1 allow port_8080
Nov 30 18:38:11 ubuntu squid[13957]: * FATAL: Bungled
/etc/squid/squid.conf line 3148: cache_peer_access peerA1 allow port_8080
Nov 30 18:38:11 ubuntu systemd[1]: squid.service: Control process exited,
code=exited status=3
Nov 30 18:38:11 ubuntu systemd[1]: squid.service: Failed with result
'exit-code'.
Nov 30 18:38:11 ubuntu systemd[1]: Failed to start LSB: Squid HTTP Proxy
version 3.x.



On Thu, Nov 29, 2018 at 10:44 AM Alex Rousskov <
Post by Alex Rousskov
Post by Wire Cutter
I’ve created 4 ports for clients to talk to, then created ACL lists for
those ports. From there I’ve tried (and failed) to create naming groups
for cacheing peers, then added those to ACLs and it fails. Any ideas?
Use cache_peer_access to allow http_port X traffic (and only that
# rules for peer group A
cache_peer_access peerA1 allow receivedOnPortForPeersA
cache_peer_access peerA2 allow receivedOnPortForPeersA
cache_peer_access peerA3 allow receivedOnPortForPeersA
...
# rules for peer group B
cache_peer_access peerB1 allow receivedOnPortForPeersB
cache_peer_access peerB2 allow receivedOnPortForPeersB
...
Depending on your traffic and needs, you may also need to allow
nonhierarchical_direct off
never_direct allow receivedOnPortForPeersA
never_direct allow receivedOnPortForPeersB
Once you get this working, please make Squid documentation improvements
that would have allowed you to figure this out on your own.
HTH,
Alex.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
--
_________________________________________________________________________________

This transmission may contain information that is privileged, confidential
and exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this
transmission in error, please immediately contact the sender and destroy
the material in its entirety, whether in electronic or hard copy format.
Alex Rousskov
2018-11-30 19:17:20 UTC
Permalink
Post by Wire Cutter
cache_peer_access peerA1 allow port_8080
cache_peer 192.168.1.2 parent 8800 0 round-robin no-query name=peerA1
Then this is the error I get when I start the service 
Bungled /etc/squid/squid.conf line 3148: cache_peer_access peerA1 allow port_8080
Did you define peerA1 and port_8080 before (you used them on) line 3148?
If not, you should.

Alex.
Post by Wire Cutter
I’ve created 4 ports for clients to talk to, then created ACL
lists for
those ports.  From there I’ve tried (and failed) to create naming
groups
for cacheing peers, then added those to ACLs and it fails. Any ideas?
Use cache_peer_access to allow http_port X traffic (and only that
  # rules for peer group A
  cache_peer_access peerA1 allow receivedOnPortForPeersA
  cache_peer_access peerA2 allow receivedOnPortForPeersA
  cache_peer_access peerA3 allow receivedOnPortForPeersA
  ...
  # rules for peer group B
  cache_peer_access peerB1 allow receivedOnPortForPeersB
  cache_peer_access peerB2 allow receivedOnPortForPeersB
  ...
Depending on your traffic and needs, you may also need to allow
  nonhierarchical_direct off
  never_direct allow receivedOnPortForPeersA
  never_direct allow receivedOnPortForPeersB
Once you get this working, please make Squid documentation improvements
that would have allowed you to figure this out on your own.
HTH,
Alex.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
--
_________________________________________________________________________________
This transmission may contain information that is privileged,
confidential and exempt from disclosure under applicable law.  If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained
herein (including any reliance thereon) is STRICTLY PROHIBITED.  If you
received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic
or hard copy format. 
Wire Cutter
2018-11-30 19:57:08 UTC
Permalink
Yes both were before the cache, but I wasn't calling the correct group in
the ACL, which caused the issue.


Thanks for you help.

Now to figure out why it's slow

On Fri, Nov 30, 2018 at 2:17 PM Alex Rousskov <
Post by Wire Cutter
Post by Wire Cutter
cache_peer_access peerA1 allow port_8080
cache_peer 192.168.1.2 parent 8800 0 round-robin no-query name=peerA1
Then this is the error I get when I start the service
Bungled /etc/squid/squid.conf line 3148: cache_peer_access peerA1 allow
port_8080
Did you define peerA1 and port_8080 before (you used them on) line 3148?
If not, you should.
Alex.
Post by Wire Cutter
Post by Wire Cutter
I’ve created 4 ports for clients to talk to, then created ACL
lists for
Post by Wire Cutter
those ports. From there I’ve tried (and failed) to create naming
groups
Post by Wire Cutter
for cacheing peers, then added those to ACLs and it fails. Any
ideas?
Post by Wire Cutter
Use cache_peer_access to allow http_port X traffic (and only that
# rules for peer group A
cache_peer_access peerA1 allow receivedOnPortForPeersA
cache_peer_access peerA2 allow receivedOnPortForPeersA
cache_peer_access peerA3 allow receivedOnPortForPeersA
...
# rules for peer group B
cache_peer_access peerB1 allow receivedOnPortForPeersB
cache_peer_access peerB2 allow receivedOnPortForPeersB
...
Depending on your traffic and needs, you may also need to allow
nonhierarchical_direct off
never_direct allow receivedOnPortForPeersA
never_direct allow receivedOnPortForPeersB
Once you get this working, please make Squid documentation
improvements
Post by Wire Cutter
that would have allowed you to figure this out on your own.
HTH,
Alex.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
--
_________________________________________________________________________________
Post by Wire Cutter
This transmission may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained
herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic
or hard copy format.
--
_________________________________________________________________________________

This transmission may contain information that is privileged, confidential
and exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this
transmission in error, please immediately contact the sender and destroy
the material in its entirety, whether in electronic or hard copy format.
Loading...