Although squid.conf has changed over the years and some adjustment have
been made; I am using, in essence, the same relatively simple squid.conf
file that I used in the mid-nineties. The last significant change was to
support load-balanced sibling servers. This wasn't a major change as it
was implemented primarily through JavaScript changes to proxy.pac.
To implement new policies foisted on us by the corporate ethics committee,
HR, and legal counsel; I need to force internal Squid servers to relay
requests to a Squid server at the corporate security perimeter.
On one of the internal Squid proxies, I created an ACL and the following
never_direct statement.
acl GDAIS .gd-ais.com
never_direct allow !GDAIS
While this seemed to work for web sites that weren't in the GD-AIS.COM
domain, I could no longer access content from any web servers that were in
the domain. In the cache.log, I found the following error message.
Failed to select source for `http://...'
These were followed by state flags(?) for always_direct, never_direct, and
timeout. One question that I have is what are the meanings of the states?
always_direct = -1 always_direct = 0
never_direct = 1
timeout = 1 timeout = 0
What is the interaction between 'cache_peer_domain' and 'never_direct'? I
had, apparently, implemented something similar to 'never_direct' years ago
using 'cache_peer_domain'. This defined which Squid proxy server should
be used to access content on our internal WAN and appears to create a
conflict with 'never_direct'.
Finally, do the rules for origin servers also apply to Squid proxies? The
error messages displayed in the browser seem to indicate that is the case.
Merton Campbell Crockett
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence and Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: [EMAIL PROTECTED]
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
