Can cache_peer be localhost?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Can cache_peer be localhost?

Peng Yu
Hi, I have the following configuration. When I access port 3129 and it
is localhost's turn in the round-robin, then the access will fail. Is
there a way to make it work?

$ grep -v '^#' squid.conf|grep -v '^$'
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128
http_port 3129
acl port_3129_acl myportname 3129
cache_peer server1 parent 3128 0 round-robin no-query name=server1_3128
cache_peer_access server1_3128 allow port_3129_acl
cache_peer localhost parent 3128 0 round-robin no-query name=localhost_3128
cache_peer_access localhost_3128 allow port_3129_acl
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .        0    20%    4320
forwarded_for delete


--
Regards,
Peng
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Can cache_peer be localhost?

Amos Jeffries
Administrator
On 17/02/18 15:05, Peng Yu wrote:
> Hi, I have the following configuration. When I access port 3129 and it
> is localhost's turn in the round-robin, then the access will fail. Is
> there a way to make it work?
>
> $ grep -v '^#' squid.conf|grep -v '^$'
...
> http_port 3128

This port receives localhost:3128 traffic.

> http_port 3129
> acl port_3129_acl myportname 3129
> cache_peer server1 parent 3128 0 round-robin no-query name=server1_3128
> cache_peer_access server1_3128 allow port_3129_acl
> cache_peer localhost parent 3128 0 round-robin no-query name=localhost_3128
> cache_peer_access localhost_3128 allow port_3129_acl

Now you have an infinite forwarding loop.

 client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat forever.

 Of that second 50%:  50% will go to serer1 and 50% loops back, repeat
to infinity.
 So in total 50% + 25% + 12.5% + ... of traffic goes to server1.

Can you see why this type of config is harmful?


...
> forwarded_for delete

... and you are deleting the X-Forwarded-For header whose purpose is in
part to show you how these loops are happening.


To answer your question it is not possible to work the way you seem to
expect, and that can be proven mathematically

Since you have two peers and round-robin each time a loop happens 50% of
traffic goes to server1, 50% loops back into this Squid.

In other words:
 50% of traffic goes to server1 on ts first time through.
 50% of traffic loops back through localhost to this Squid.

 25% of traffic goes to server1 on its second loop.
 ...

 12.5% of traffic goes to server1 on its third loop.
 ...

 and so on until 99.99999...% of traffic is going to server1, with
increasingly small amounts of traffic taking looping just one more time.

Each loop consumes 2 TCP ports and ~256KB of RAM. So if anything were
done to permit the looping to happen at some point very early the
machine would completely run out of either TCP sockets or RAM.

Those are both shared resources possibly needed by other software on the
machine. If either is consumed completely by Squid looping the OS
encounters horrible problems, up to and including the kernel crashing.


Luckily you are leaving the Via header in place which Squid uses to
block looping traffic before it causes serious damage to the machine.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Can cache_peer be localhost?

Peng Yu
>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat forever.

Is there a way to configure squid so that anything goes to 3128 will
directly go outside of the machine instead of going back to 3128
again, yet still let 3129 be forwarded to the local 3128 in the
round-robin fashion?

--
Regards,
Peng
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Can cache_peer be localhost?

Matus UHLAR - fantomas
>>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat forever.

On 17.02.18 10:45, Peng Yu wrote:
>Is there a way to configure squid so that anything goes to 3128 will
>directly go outside of the machine instead of going back to 3128
>again, yet still let 3129 be forwarded to the local 3128 in the
>round-robin fashion?

what is the point to send the request to itself?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Can cache_peer be localhost?

Yuri Voinov
May be, assumed to forwarding to parent proxy(-es)?


17.02.2018 23:22, Matus UHLAR - fantomas пишет:

>>>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat
>>> forever.
>
> On 17.02.18 10:45, Peng Yu wrote:
>> Is there a way to configure squid so that anything goes to 3128 will
>> directly go outside of the machine instead of going back to 3128
>> again, yet still let 3129 be forwarded to the local 3128 in the
>> round-robin fashion?
>
> what is the point to send the request to itself?
>
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can cache_peer be localhost?

Matus UHLAR - fantomas
On 18.02.18 00:05, Yuri wrote:
>May be, assumed to forwarding to parent proxy(-es)?

according to original post, it's different port configured on the same squid
instance.

>17.02.2018 23:22, Matus UHLAR - fantomas пишет:
>>>>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat
>>>> forever.
>>
>> On 17.02.18 10:45, Peng Yu wrote:
>>> Is there a way to configure squid so that anything goes to 3128 will
>>> directly go outside of the machine instead of going back to 3128
>>> again, yet still let 3129 be forwarded to the local 3128 in the
>>> round-robin fashion?
>>
>> what is the point to send the request to itself?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Can cache_peer be localhost?

Yuri Voinov


18.02.2018 01:13, Matus UHLAR - fantomas пишет:
> On 18.02.18 00:05, Yuri wrote:
>> May be, assumed to forwarding to parent proxy(-es)?
>
> according to original post, it's different port configured on the same
> squid
> instance.
Ewwwwwww..... it seems like looping.

>
>> 17.02.2018 23:22, Matus UHLAR - fantomas пишет:
>>>>>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat
>>>>> forever.
>>>
>>> On 17.02.18 10:45, Peng Yu wrote:
>>>> Is there a way to configure squid so that anything goes to 3128 will
>>>> directly go outside of the machine instead of going back to 3128
>>>> again, yet still let 3129 be forwarded to the local 3128 in the
>>>> round-robin fashion?
>>>
>>> what is the point to send the request to itself?
>
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment