Re: [squid-users] [suiqd-2.7STABLE6-1]Problem RPC via HTTPSț [SOLVED]

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 12 Aug 2009 16:58:20 +1200

hdyugoplastika hdyugoplastika wrote:
>
> I have solved!!!
>
> There was one error in rpc client side(mine stupid type of error on user)
> and this is the final configuration(with loadbalance on cache_peer):
>
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> acl QUERY urlpath_regex cgi-bin \?
> acl QUERY urlpath_regex ARSystem.css
> acl QUERY urlpath_regex LocalizedMessages_it.js
>
> no_cache deny QUERY
>
> acl xxxx src 192.168.55.0/24
> acl xxxx src 10.221.121.0/24
> acl easy_bb src xxx.xxx.64.0/19
> acl easy_bb src xxx.xxx.224.0/19
> acl easy_bb src xxx.xxx.16.0/20
> acl easy_bb src xxx.xxx.81.0/24
> acl easy_bb src xxx.xxx.87.0/24
> acl easy_bb src xxx.xxx.26.0/24
> acl easy_bb src xxx.xxx.144.0/20
> acl easy_bb src xxx.xxx.240.0/20
>
> acl access_mail urlpath_regex -i "/etc/squid/users/access_mail.txt"
> acl access_url url_regex -i "/etc/squid/url_valid.txt"
>
> acl acl_pfa dstdomain webmail.XXXxxx.it
>
> http_access deny easy_bb
>
> http_access allow xxxx
> http_access allow access_mail
> http_access allow access_url
>
> http_access allow localhost
> http_access deny all
>
> http_reply_access allow all
>
> icp_access allow all
>
> ssl_unclean_shutdown on
>
> http_port 80 transparent
>
> https_port 10.223.247.201:443 accel vhost cert=/etc/squid/cert/wm.XXXxxx.it.cert key=/etc/squid/cert/wm.XXXxxx.it.private.key cafile=/etc/squid/cert/cafile.cert defaultsite=webmail.XXXxxx.it
>
> cache_peer mi1exprom1.nf.xxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver login=PASS
> cache_peer mi2exprom2.nf.xxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver login=PASS
> cache_peer mi1exprom2.nf.xxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver login=PASS
> cache_peer mi2exprom1.nf.xxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver login=PASS
>

As per my original statement: do not use sourcehash round-robin

Why? because they are competing methods of selection:

  sourcehash - ensure that every client IP is softly 'tagged' to a
certain peer for all of its requests.

  round-robin - ensure that a different server peer is chosen on every
single request.

Bad things occur if this is gotten wrong. Constant login popups are not
unusual with RPC/OWA mistakes.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
   Current Beta Squid 3.1.0.13
Received on Wed Aug 12 2009 - 04:58:26 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 12 2009 - 12:00:02 MDT