Sibling peer cache not working, ver 3.5.27

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Sibling peer cache not working, ver 3.5.27

leonyuuu
This post was updated on .
Hi, I got some problems in working with squid when writing a network
experiment that involves squid-proxy. The topology is something looks like
this:
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377850/experiment.png

The basic idea of the topology is that two squid proxies were set to
interception mode and all the traffic from h0/h1 will be routed by r0's
static route to go either proxy0 or proxy1. And the firewall will only do
nat for requests to outside.

The experiment is carried out with linux netns and squid proxy setting is
something like this:
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377850/sreenshot1.png

The basic experiment includes steps like this:
1, enable default static route of r0 to 192.168.1.128/25
2, post http request to static website from h0, get response from proxy0 with TCP_MISS
3, change default static route of r0 to 192.168.2.128.25
4, post same http request to static website from h0, get response from proxy1 with TCP_MISS(CACHE HIT expected)

When using tcpdump to listen to the interface that connects proxy0 and proxy1, I can see ICP queries for cache_digest for each other. But the proxy will not turn to the sibling when the sibling should have the cached object.

So I change never_direct directory to "never_direct allow all" for proxy1, and do the test again. It pops up with STATUS CODE 505 with error "X-squid-error: ERR_CANNOT_FORWARD 0"

Am I configuring it wrong with the squid so that the it cannot forward request to the siblings?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sibling peer cache not working, ver 3.5.27

leonyuuu
Sent the unfinished mail accidentally. The body of the mail now is updated
from the original one.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sibling peer cache not working, ver 3.5.27

leonyuuu
In reply to this post by leonyuuu
For cache digest requests between two interception squid proxies, it will
actually display "forward loop detection" in the cache.log and the last Via
host for that query(cache-digest-db) is itself. So is it also the root cause
why the cache-miss forwarding between two proxies is not working? Since the
proxy1 actually never knows the cache digest content of proxy0.

Another question, why the interception squid proxy will append itself onto
the Via field of request? It actually forward the request by iptables
PREROUTING phase, which is before the packet is accepted by the squid
program.




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sibling peer cache not working, ver 3.5.27

Matus UHLAR - fantomas
In reply to this post by leonyuuu
On 10.12.19 17:36, leonyuuu wrote:
>Sent the unfinished mail accidentally. The body of the mail now is updated
>from the original one.

Don't do this.

This is not nabble, but the squid-users mailing list and I doubt people are
wanting to look at nabble's webpage to see what you have edited.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sibling peer cache not working, ver 3.5.27

Amos Jeffries
Administrator
In reply to this post by leonyuuu
On 11/12/19 5:47 pm, leonyuuu wrote:
> For cache digest requests between two interception squid proxies, it will
> actually display "forward loop detection" in the cache.log and the last Via
> host for that query(cache-digest-db) is itself. So is it also the root cause
> why the cache-miss forwarding between two proxies is not working?

You have set the "intercept" option on your proxies port 3128 line.

You have used port 3128 as the port the two proxies are communicating
with each other. This requires an explicit/forward proxy port.


I suggest leave port 3128 for the normal proxying traffic and move the
intercept and NAT rules to a randomly selected other port number. This
other port *must not* be able to receive traffic directly, only the
machines NAT system and Squid may use it.


> Since the
> proxy1 actually never knows the cache digest content of proxy0.
>
> Another question, why the interception squid proxy will append itself onto
> the Via field of request?

To allow detection and debug analysis of exactly the mistake you have
made. That is the purpose of Via.


> It actually forward the request by iptables
> PREROUTING phase, which is before the packet is accepted by the squid
> program.
>

That idea is wrong. The digest exchange is between two proxies, which
know about each other - you configured the details of how they
communicate in cache_peer config lines.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sibling peer cache not working, ver 3.5.27

leonyuuu
Thanks Amos for quick response! It helps a lot in understanding the previous
logs like "forward proxy port not configured", and I adjusted my
configuration later today to do another test.

However, now the two proxies even doesn't send ICP/HTTP request to each
other anymore for cache digest and the access.log(see below) shows there are
only queries on intercepted traffic.

<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377850/access.png>

My new configuration for proxy0:
    http_port 3128
    http_port 9999 intercept
    icp_access allow all
    icp_port 3130

    cache_peer 192.168.3.2 sibling 3128 3130
    cache_peer_access 192.168.3.2 allow all
    visible_hostname squid.host.1

Iptables configuration added for proxy0:
    // for inter-proxy trafic
    "iptables -t nat -A PREROUTING -i veth20 --dport 80 -j REDIRECT
--to-port 3128"
    // for intercepted traffic
    "iptables -t nat -A PREROUTING -i veth12 --dport 80 -j REDIRECT
--to-port 9999"

With tcpdump(see below) listening on the interface that connects the other
proxy, I can see there are established tcp connections between two proxies,
is this traffic for netdb only? I am really wondering what could potentially
prevent from the Cache Digest being exchanged between siblings.

<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377850/tcpdump.png>

Thanks,
Leon



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sibling peer cache not working, ver 3.5.27

leonyuuu
In reply to this post by Matus UHLAR - fantomas
Matus UHLAR - fantomas wrote

> On 10.12.19 17:36, leonyuuu wrote:
>>Sent the unfinished mail accidentally. The body of the mail now is updated
>>from the original one.
>
> Don't do this.
>
> This is not nabble, but the squid-users mailing list and I doubt people
> are
> wanting to look at nabble's webpage to see what you have edited.
>
> --
> Matus UHLAR - fantomas,

> uhlar@

>  ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "One World. One Web. One Program." - Microsoft promotional advertisement
> "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
> _______________________________________________
> squid-users mailing list

> squid-users@.squid-cache

> http://lists.squid-cache.org/listinfo/squid-users

Thanks Matus for replying. I am new here and just forgot that this channel
was mainly for mailing-list usage at that time, pleaze forgive me for doing
that.




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sibling peer cache not working, ver 3.5.27

Matus UHLAR - fantomas
In reply to this post by leonyuuu
On 11.12.19 22:04, leonyuuu wrote:

>Thanks Amos for quick response! It helps a lot in understanding the previous
>logs like "forward proxy port not configured", and I adjusted my
>configuration later today to do another test.
>
>However, now the two proxies even doesn't send ICP/HTTP request to each
>other anymore for cache digest and the access.log(see below) shows there are
>only queries on intercepted traffic.
>
><http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377850/access.png>
>
>My new configuration for proxy0:
>    http_port 3128
>    http_port 9999 intercept
>    icp_access allow all
>    icp_port 3130
>
>    cache_peer 192.168.3.2 sibling 3128 3130
>    cache_peer_access 192.168.3.2 allow all
>    visible_hostname squid.host.1
>
>Iptables configuration added for proxy0:
>    // for inter-proxy trafic
>    "iptables -t nat -A PREROUTING -i veth20 --dport 80 -j REDIRECT
>--to-port 3128"

you don't need to and should not redirect inter-proxy traffic from port 80
to 3128.
the sibling proxy explicitly sends HTTP traffic to port 3128.
better remove this rule.

>    // for intercepted traffic
>    "iptables -t nat -A PREROUTING -i veth12 --dport 80 -j REDIRECT
>--to-port 9999"
>
>With tcpdump(see below) listening on the interface that connects the other
>proxy, I can see there are established tcp connections between two proxies,
>is this traffic for netdb only? I am really wondering what could potentially
>prevent from the Cache Digest being exchanged between siblings.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sibling peer cache not working, ver 3.5.27

leonyuuu
Matus UHLAR - fantomas wrote
> On 11.12.19 22:04, leonyuuu wrote:
>>Thanks Amos for quick response! It helps a lot in understanding the
previous
>>logs like "forward proxy port not configured", and I adjusted my
>>configuration later today to do another test.
>>
>>However, now the two proxies even doesn't send ICP/HTTP request to each
>>other anymore for cache digest and the access.log(see below) shows there
are

>>only queries on intercepted traffic.
>>
>>&lt;http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377850/access.png&gt;
>>
>>My new configuration for proxy0:
>>    http_port 3128
>>    http_port 9999 intercept
>>    icp_access allow all
>>    icp_port 3130
>>
>>    cache_peer 192.168.3.2 sibling 3128 3130
>>    cache_peer_access 192.168.3.2 allow all
>>    visible_hostname squid.host.1
>>
>>Iptables configuration added for proxy0:
>>    // for inter-proxy trafic
>>    "iptables -t nat -A PREROUTING -i veth20 --dport 80 -j REDIRECT
>>--to-port 3128"
>
> you don't need to and should not redirect inter-proxy traffic from port 80
> to 3128.
> the sibling proxy explicitly sends HTTP traffic to port 3128.
> better remove this rule.

yes, the http request for digest is heading for 3128 by default.

But now I become more confused why the Cache Digest is not working at all.
My checklist for enabling Cache Digest:
1. build option with "enable-cache-digest"
2. cache_peer setting for both proxies, server port and ICP port
3. cache_peer_access allow http traffic
4. veth pair setup for both application
5. route table configuration for inter-proxy traffic

Plz correct me if I miss anything.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sibling peer cache not working, ver 3.5.27

leonyuuu
I investigated into some aspects of the cache-digest, and I found there are
some aspects that I may miss out when designing the experiment.

Item 16.10 in following squidFAQ tells that the peers cache-digest is stored
on Disks. If the cache storage on disk is a "must" for cache-digest, then I
could have a problem in designing the experiment since I haven;t turned on
the disk_dir directive in configuration.

http://www.comfsm.fm/computing/squid/FAQ-6.html




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users