Thiago Cruz wrote:
I had forgotten to negate ICP, but I've inserted it now.
I made a workaround for this ICAP problem but I must have another ICAP
server just for filtering theses no authentication sites and
unfortunately it isn't a good solution.
Any Idea?
Sorry, I mis-spelled the quote.
You said earlier before I joined the thread that you "when I negate
ICAP for some ACL it bypass cache_peer too" (cut-n-paste this time :-)
I must be going blind. An idea just occurs to me:
always_direct allow sites_no_authentication
means bypass any peers and go direct for 'sites_no_authentication'
never_direct allow all
means NOTHING can go direct, use peer or fail.
If this idea is right, then the always_direct is kicking all the peer
logics aside and forcing it to go direct before the never_direct gets
tested.
Try this:
always_direct deny sites_no_authentication
or remove the line and finish with:
always_direct deny all
Amos
[]'s
Thiago Cruz
On 10/8/07, Amos Jeffries <[EMAIL PROTECTED]> wrote:
Of course not, here is it:
Thank you. Everything look normal to me.
What do you do to "negate ICP for some ACL"?
Amos
+++++++++++++++++++++++++++++++++++
http_port 8080
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname cacheteste.hm
cache_log /var/log/squid/cache.log
cache_store_log none
debug_options ALL,1
memory_replacement_policy lru
logformat squidmime_extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %ul
%Sh/%<A %mt
cache_access_log /var/log/squid/access.log squidmime_extended
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 80
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 3
auth_param basic realm HM
auth_param basic credentialsttl 2 hours
external_acl_type NTGroup children=80 ttl=3600 negative_ttl=300 %LOGIN
/usr/lib/squid/wbinfo_group.pl
acl PURGE method PURGE
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl squid-stat src 172.17.6.126/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl INTRANET dstdomain .hm .hm.com.br
acl USERS_ALLOW external NTGroup @HM_USUARIOS
acl sites_no_authentication url_regex "/etc/squid/sites_no_authentication"
acl JAVA-SUN browser -i java
http_access allow PURGE localhost
http_access deny PURGE
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
deny_info BC_Safe_ports Safe_ports
http_access deny CONNECT !SSL_ports
deny_info BC_not_SSL_ports SSL_ports
http_access allow sites_no_authentication
http_access allow JAVA-SUN
http_access deny TERMO
deny_info BC_TERMO TERMO
http_access allow INTRANET
http_access allow all USERS_ALLOW
http_access deny all
deny_info BC_ACESSO_NEGADO all
always_direct allow sites_no_authentication
always_direct allow JAVA-SUN
always_direct allow INTRANET
always_direct allow CONNECT
never_direct allow all
cache_effective_user squid
cache_effective_group squid
err_html_text mailto:[EMAIL PROTECTED]
coredump_dir /usr/local/squid/var/cache
forwarded_for on
icap_enable on
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class filtro_url service_1 service_2
icap_access filtro_url deny sites_no_authentication
icap_access filtro_url allow USERS_ALLOW
icap_access filtro_url deny all
cache_peer 172.17.205.106 parent 8088 7 no-query no-delay no-digest
default
+++++++++++++++++++++++++++++++++++
Although I have one server only for tests, the debug mode is too big.
But if it's necessary should I post it here?
Thanks
Thiago Cruz
On 10/8/07, Amos Jeffries <[EMAIL PROTECTED]> wrote:
Thiago Cruz wrote:
Hello H. Nordstrom,
I had already read that but unfortunately it didn't work. For some
reason when I negate ICAP for some ACL it bypass cache_peer too.
Most weird. Would you mind posting the related config both negated and
non-negated for comparison?
Debug
all 9 could help us?
Possibly. It will generate a LOT of data for even moderate server load.
I'd suggest starting at 5-6 to peek where the problems might be, then
raise a particular section.
Amos
On 10/6/07, Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
On fre, 2007-10-05 at 19:05 -0300, Thiago Cruz wrote:
I solved the problem which squid wasn't sending respmod using Squid3
RC1, but I have another problem, when I don't want to use ICAP (acl
sites_no_authentication), the squid bypass the cache peer too. Is
there some way to force it to use cache_peer?
Squid FAQ How do I configure Squid forward all requests to another
proxy?
<url:http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027>
Regards
Henrik
