Re: Squid configuration problems

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration problems

Henrik Nordström
fre 2007-05-11 klockan 14:42 +0100 skrev seb:

> On Fri, 2007-05-11 at 14:33 +0200, Henrik Nordstrom wrote:
> > The external_acl_type directive must go before any acl's trying to use
> > that helper.
>
> Thanks that stopped it from 'bungling'.
>
> Now when I try to access a website I get the following in the cache.log:
>
> ^T2007/05/11 14:15:48| Failed to select source for
> 'http://www.cdal.co.uk/'
> 2007/05/11 14:15:48|   always_direct = 0
> 2007/05/11 14:15:48|    never_direct = 1
> 2007/05/11 14:15:48|        timedout = 0
So what's your config now?

(I know you posted config details before, but memory is short..)

The error says that you are using never_direct and that there is no
cache_peer where the request may be forwarded..

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Squid configuration problems

Seb Harrington
> So what's your config now?
>
> (I know you posted config details before, but memory is short..)
>
> The error says that you are using never_direct and that there is no
> cache_peer where the request may be forwarded..
>
> Regards
> Henrik

My cache_peers are set up as follows:

cache_peer students.local parent 8080 0 proxy-only no-query
no-netdb-exchange no-digest
cache_peer staff.local parent 8081 0 proxy-only no-query
no-netdb-exchange no-digest
cache_peer special.local parent 8082 0 proxy-only no-query
no-netdb-exchange no-digest

My acls and cache_peer_access directives are as below:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

external_acl_type ntlm_group concurrency=0 children=5 ttl=0 %LOGIN /usr/lib/squid/wbinfo_group.pl

acl special external ntlm_group it
acl staff external ntlm_group Staff
acl students external ntlm_group Students

acl ntlm_users proxy_auth REQUIRED

never_direct allow all

#cache_peer_access students.local allow all

cache_peer_access special.local allow special
cache_peer_access special.local deny all

cache_peer_access students.local allow students
cache_peer_access students.local deny all

cache_peer_access staff.local allow staff
cache_peer_access staff.local deny all  

http_access allow ntlm_users

When cache_peer_access students.local allow all uncommented the system works and all requests get passed through the students parent so I guess there is a problem with the ntlm_group external acl.


Cheers,

Seb
Reply | Threaded
Open this post in threaded view
|

RE: Squid configuration problems

Henrik Nordström
sön 2007-05-13 klockan 12:40 +0100 skrev Seb Harrington:

> acl special external ntlm_group it

> cache_peer_access special.local allow special

> When cache_peer_access students.local allow all uncommented the system
> works and all requests get passed through the students parent so I
> guess there is a problem with the ntlm_group external acl.

The problem is cache_peer_access. It can not wait for the lookup to
complete.

You can get almost there if you make http_access look up the acls, but
you still need a fallback peer occationally as the result may expire
between http_access and peer seletion.

http_access deny aclname !all

anywhere before where access is allowed.

Regards
Henrik

signature.asc (316 bytes) Download Attachment