Website bypass with always-direct

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Website bypass with always-direct

patrick.lanot@inserm.fr-2
Howdy,

I'm trying to use always-direct, but maybe I'm doing something wrong.
I have:

acl local-servers dstdomain www.myweb.eu
always_direct allow local-servers

but the website still appears in the logs, and not doing bypass.
What could I be doing wrong?
For what I see in the docs it's correct.

tHanks in advanced,


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Website bypass with always-direct

Amos Jeffries
Administrator
On 14/12/17 05:52, Jorge Bastos wrote:

> Howdy,
>
> I'm trying to use always-direct, but maybe I'm doing something wrong.
> I have:
>
> acl local-servers dstdomain www.myweb.eu
> always_direct allow local-servers
>
> but the website still appears in the logs, and not doing bypass.
> What could I be doing wrong?
> For what I see in the docs it's correct.

Your understanding of the docs is wrong.

Once a message arrives at Squid is *cannot* "bypass the proxy" or
whatever you want to call it. It MUST be serviced by the proxy.

"always_direct allow ..." tells Squid to always use DIRECT access to the
origin server IPs indicated in DNS records for the URL being fetched.
Squid is prohibited from using any cache_peer server connection to
service that transaction.

Its counterpart is the "never_direct allow ..." which tells Squid DNS
records MUST NOT be considered, only cache_peer connections are permitted.

If both of those are "denied" (aka both DNS and cache_peer are
permitted) the prefer_direct setting tells Squid whether to try the
cache_peer or the DIRECT IPs first.


The cache_peer_access controls which peers (from multiple) are permitted
(or not) to be used for a given transaction.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Website bypass with always-direct

patrick.lanot@inserm.fr-2

On 2017-12-13 17:12, Amos Jeffries wrote:

On 14/12/17 05:52, Jorge Bastos wrote:
Howdy,

I'm trying to use always-direct, but maybe I'm doing something wrong.
I have:

acl local-servers dstdomain www.myweb.eu
always_direct allow local-servers

but the website still appears in the logs, and not doing bypass.
What could I be doing wrong?
For what I see in the docs it's correct.

Your understanding of the docs is wrong.

Once a message arrives at Squid is *cannot* "bypass the proxy" or whatever you want to call it. It MUST be serviced by the proxy.

"always_direct allow ..." tells Squid to always use DIRECT access to the origin server IPs indicated in DNS records for the URL being fetched. Squid is prohibited from using any cache_peer server connection to service that transaction.

Its counterpart is the "never_direct allow ..." which tells Squid DNS records MUST NOT be considered, only cache_peer connections are permitted.

If both of those are "denied" (aka both DNS and cache_peer are permitted) the prefer_direct setting tells Squid whether to try the cache_peer or the DIRECT IPs first.


The cache_peer_access controls which peers (from multiple) are permitted (or not) to be used for a given transaction.

hi Amos,

sorry for the dup, it was my fantastic email client fault (outlook 2016).

Ok, so what would be the directive to allow what i want to achieve? I've been trying and having no success,



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Website bypass with always-direct

Alex Rousskov
On 12/13/2017 04:10 PM, Jorge Bastos wrote:
> On 2017-12-13 17:12, Amos Jeffries wrote:
>> On 14/12/17 05:52, Jorge Bastos wrote:

>>> I'm trying to use always-direct, [...]
>>> but the website still appears in the logs, and not doing bypass.
>>> What could I be doing wrong?
>>> For what I see in the docs it's correct.


>> Your understanding of the docs is wrong.
>>
>> Once a message arrives at Squid is *cannot* "bypass the proxy" or
>> whatever you want to call it. It MUST be serviced by the proxy.


> Ok, so what would be the directive to allow what i want to achieve?


What do you want to achieve?

Earlier, you implied that you do not want to see a request in Squid
logs. As Amos have said, Squid cannot "unsee" the transaction: Once the
transaction reaches Squid, Squid will handle it (forward, block, delay,
mangle, log, etc.). If you want Squid to not see a transaction, then all
the solutions will be outside of Squid and its directives. Please
explain what you want with this fact in mind.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Website bypass with always-direct

patrick.lanot@inserm.fr-2
Alex,

> Ok, so what would be the directive to allow what i want to achieve?


What do you want to achieve?

Earlier, you implied that you do not want to see a request in Squid logs. As
Amos have said, Squid cannot "unsee" the transaction: Once the transaction
reaches Squid, Squid will handle it (forward, block, delay, mangle, log,
etc.). If you want Squid to not see a transaction, then all the solutions
will be outside of Squid and its directives. Please explain what you want
with this fact in mind.

It's what I want,
I thought squid would be able to do that bypass!
I have to do it with iptables then,

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Website bypass with always-direct

Vacheslav
What if we think from the heart?

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Jorge Bastos
Sent: Thursday, December 14, 2017 1:22 PM
To: 'Alex Rousskov' <[hidden email]>; [hidden email]
Subject: Re: [squid-users] Website bypass with always-direct

Alex,

> Ok, so what would be the directive to allow what i want to achieve?


What do you want to achieve?

Earlier, you implied that you do not want to see a request in Squid logs. As Amos have said, Squid cannot "unsee" the transaction: Once the transaction reaches Squid, Squid will handle it (forward, block, delay, mangle, log, etc.). If you want Squid to not see a transaction, then all the solutions will be outside of Squid and its directives. Please explain what you want with this fact in mind.

It's what I want,
I thought squid would be able to do that bypass!
I have to do it with iptables then,

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Website bypass with always-direct

Antony Stone
In reply to this post by patrick.lanot@inserm.fr-2
On Thursday 14 December 2017 at 11:21:52, Jorge Bastos wrote:

> Alex,
>
> > > Ok, so what would be the directive to allow what i want to achieve?
> >
> > What do you want to achieve?
> >
> > Earlier, you implied that you do not want to see a request in Squid logs.
> > As Amos have said, Squid cannot "unsee" the transaction: Once the
> > transaction reaches Squid, Squid will handle it (forward, block, delay,
> > mangle, log, etc.). If you want Squid to not see a transaction, then all
> > the solutions will be outside of Squid and its directives. Please explain
> > what you want with this fact in mind.
>
> It's what I want,
> I thought squid would be able to do that bypass!
> I have to do it with iptables then,

1. What type of accesses do you want to avoid having in the Squid logs (and
incidentally, why - what's wrong with these requests going through Squid)?

2. The only way I can think of you being able to do this with Squid would be
to set up a hierarchy - one "front-end" Squid server which does no caching
(I'm assuming this is part of what you want to achieve), and then either does
"direct" accesses to the origin server (for the requests you don't want Squid
to process), or "parent" accesses to the "back-end" caching Squid server, for
the ones you are happy to go through Squid.  You then regard the "back-end"
server as your "real Squid server" and treat the "front-end" machine as just a
way of routing the requests according to your rules.

3. Is the thing you are really trying to achieve "not having the requests show
up in Squid's log files" or "not being processed by Squid"?  What's the reason
for whichever one this is - what is the problem with the way things are
working now which you are trying to solve?


Antony.

--
Python is executable pseudocode.
Perl is executable line noise.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users