Although squid.conf has changed over the years and some adjustment have been made; I am using, in essence, the same relatively simple squid.conf file that I used in the mid-nineties. The last significant change was to support load-balanced sibling servers. This wasn't a major change as it was implemented primarily through JavaScript changes to proxy.pac.
To implement new policies foisted on us by the corporate ethics committee, HR, and legal counsel; I need to force internal Squid servers to relay requests to a Squid server at the corporate security perimeter. On one of the internal Squid proxies, I created an ACL and the following never_direct statement. acl GDAIS .gd-ais.com never_direct allow !GDAIS While this seemed to work for web sites that weren't in the GD-AIS.COM domain, I could no longer access content from any web servers that were in the domain. In the cache.log, I found the following error message. Failed to select source for `http://...' These were followed by state flags(?) for always_direct, never_direct, and timeout. One question that I have is what are the meanings of the states? always_direct = -1 always_direct = 0 never_direct = 1 timeout = 1 timeout = 0 What is the interaction between 'cache_peer_domain' and 'never_direct'? I had, apparently, implemented something similar to 'never_direct' years ago using 'cache_peer_domain'. This defined which Squid proxy server should be used to access content on our internal WAN and appears to create a conflict with 'never_direct'. Finally, do the rules for origin servers also apply to Squid proxies? The error messages displayed in the browser seem to indicate that is the case. Merton Campbell Crockett -- BEGIN: vcard VERSION: 3.0 FN: Merton Campbell Crockett ORG: General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet: [EMAIL PROTECTED] TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg: +1(805)377-6762 END: vcard