Here are some debug logs from FwdState which handles digest request. 172.22.13.210 – original squid 172.22.8.145 – sibling squid 127.0.0.1:18070 – parent
As you can see it uses connection to parent for this request (reusing pconn local=127.0.0.1:44120 remote=127.0.0.1:18070 FD 16 flags=1) which is probably a bug. 2016/12/29 15:57:41.121| 17,3| FwdState.cc(332) Start: ' http://172.22.8.145:3128/squid-internal-periodic/store_digest' 2016/12/29 15:57:41.121| 17,2| FwdState.cc(133) FwdState: Forwarding client request , url=http://172.22.8.145:3128/squid-internal-periodic/store_digest 2016/12/29 15:57:41.121| 17,3| FwdState.cc(387) startConnectionOrFail: http://172.22.8.145:3128/squid-internal-periodic/store_digest 2016/12/29 15:57:41.121| 17,3| FwdState.cc(806) connectStart: fwdConnectStart: http://172.22.8.145:3128/squid-internal-periodic/store_digest 2016/12/29 15:57:41.121| 17,3| FwdState.cc(875) connectStart: reusing pconn local=127.0.0.1:44120 remote=127.0.0.1:18070 FD 16 flags=1 2016/12/29 15:57:41.121| 17,3| FwdState.cc(908) dispatch: : Fetching GET http://172.22.8.145:3128/squid-internal-periodic/store_digest 2016/12/29 15:57:41.124| 17,3| FwdState.cc(447) unregister: http://172.22.8.145:3128/squid-internal-periodic/store_digest 2016/12/29 15:57:41.124| 17,2| FwdState.cc(655) handleUnregisteredServerEnd: self=0x1450738*2 err=0 http://172.22.8.145:3128/squid-internal-periodic/store_digest And peer_select logs: 2016/12/29 16:12:41.843| 44,3| peer_select.cc(137) peerSelect: e:=IWV/0x148bae0*2 http://172.22.8.145:3128/squid-internal-periodic/store_digest 2016/12/29 16:12:41.843| 44,3| peer_select.cc(441) peerSelectFoo: GET 172.22.8.145 2016/12/29 16:12:41.843| 44,3| peer_select.cc(446) peerSelectFoo: peerSelectFoo: direct = DIRECT_UNKNOWN (always_direct to be checked) 2016/12/29 16:12:41.844| 44,3| peer_select.cc(194) peerCheckAlwaysDirectDone: peerCheckAlwaysDirectDone: DENIED 2016/12/29 16:12:41.844| 44,3| peer_select.cc(441) peerSelectFoo: GET 172.22.8.145 2016/12/29 16:12:41.844| 44,3| peer_select.cc(454) peerSelectFoo: peerSelectFoo: direct = DIRECT_UNKNOWN (never_direct to be checked) 2016/12/29 16:12:41.844| 44,3| peer_select.cc(171) peerCheckNeverDirectDone: peerCheckNeverDirectDone: ALLOWED 2016/12/29 16:12:41.844| 44,3| peer_select.cc(177) peerCheckNeverDirectDone: direct = DIRECT_NO (never_direct allow) 2016/12/29 16:12:41.844| 44,3| peer_select.cc(441) peerSelectFoo: GET 172.22.8.145 2016/12/29 16:12:41.844| 44,3| peer_select.cc(110) peerSelectIcpPing: peerSelectIcpPing: http://172.22.8.145:3128/squid-internal-periodic/store_digest 2016/12/29 16:12:41.844| 44,3| peer_select.cc(121) peerSelectIcpPing: peerSelectIcpPing: counted 0 neighbors 2016/12/29 16:12:41.844| 44,3| peer_select.cc(685) peerGetSomeParent: GET 172.22.8.145 2016/12/29 16:12:41.844| 44,3| peer_select.cc(709) peerGetSomeParent: peerSelect: FIRSTUP_PARENT/127.0.0.1 2016/12/29 16:12:41.844| 44,5| peer_select.cc(938) peerAddFwdServer: peerAddFwdServer: adding 127.0.0.1 FIRSTUP_PARENT 2016/12/29 16:12:41.844| 44,5| peer_select.cc(938) peerAddFwdServer: peerAddFwdServer: adding 127.0.0.1 ANY_OLD_PARENT 2016/12/29 16:12:41.844| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: http://172.22.8.145:3128/squid-internal-periodic/store_digest' via 127.0.0.1 2016/12/29 16:12:41.844| 44,2| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: http://172.22.8.145:3128/squid-internal-periodic/store_digest' via 127.0.0.1 2016/12/29 16:12:41.844| 44,2| peer_select.cc(280) peerSelectDnsPaths: Found sources for ' http://172.22.8.145:3128/squid-internal-periodic/store_digest' 2016/12/29 16:12:41.844| 44,2| peer_select.cc(281) peerSelectDnsPaths: always_direct = DENIED 2016/12/29 16:12:41.844| 44,2| peer_select.cc(282) peerSelectDnsPaths: never_direct = ALLOWED 2016/12/29 16:12:41.844| 44,2| peer_select.cc(292) peerSelectDnsPaths: cache_peer = local=0.0.0.0 remote=127.0.0.1:18070 flags=1 2016/12/29 16:12:41.844| 44,2| peer_select.cc(292) peerSelectDnsPaths: cache_peer = local=0.0.0.0 remote=127.0.0.1:18070 flags=1 2016/12/29 16:12:41.844| 44,2| peer_select.cc(295) peerSelectDnsPaths: timedout = 0 2016/12/29 16:12:41.844| 44,3| peer_select.cc(79) ~ps_state: http://172.22.8.145:3128/squid-internal-periodic/store_digest On Thu, Dec 29, 2016 at 2:21 PM, Ivan Larionov <xeron.os...@gmail.com> wrote: > Thank you for helping. > > After some experiments and tcpdumping it looks like it's not sibling > sending request to the parent, but original squid! > > So instead of asking sibling about his digests squid asks parent. > > And your trick with urlpath_regex didn't help. I even tried: > > acl internal_digest urlpath_regex +i /.*store_digest.*/ > always_direct allow internal_digest > never_direct deny internal_digest > > but no luck. It still asks parent. > > > On Thu, Dec 29, 2016 at 1:00 AM, Amos Jeffries <squ...@treenet.co.nz> > wrote: > >> On 2016-12-29 20:51, Ivan Larionov wrote: >> >>> I'm sure about forwarding because I see requests to >>> http://172.22.15.88:3128/squid-internal-periodic/store_digest [1] in >>> parent logs and my parent returns 502 because we do not allow requests >>> to internal IPs. Logs from the parent: >>> >>> Got request: GET >>> http://172.22.15.88:3128/squid-internal-periodic/store_digest >>> Not allowing blacklisted IP 172.22.15.88 >>> GET http://172.22.15.88:3128/squid-internal-periodic/store_digest 502 >>> 0ms >>> >>> I do not have "global_internal_static off" in my config and also I'm >>> able to get >>> http://172.22.15.88:3128/squid-internal-periodic/store_digest [1] >>> using curl or telnet (with telnet I do "GET >>> /squid-internal-periodic/store_digest" – note relative URL). >>> >> >> Okay, thats good. >> >> >>> However according to debug logs squid does this request using absolute >>> URL which probably works if target sibling can do direct requests (so >>> it will request itself for digest and return response to original >>> squid). But I do have "never_direct allow all" which probably makes >>> sibling to forward such request to a parent. >>> >> >> Hmm, I think you might be right about that. >> You can test it by adding: >> >> acl foo urlpath_regex +i /squid.internal.digest/ >> never_direct deny foo >> >> >> >>> If my theory about absolute vs relative URL is correct then I believe >>> original squid should make store_digest request using relative URL >>> (like I can do with telnet) so sibling squid will return response >>> right away w/o asking itself for result. >>> >> >> Whats happening with the URL is that the sending peer generates it from >> the cache_peer IP/host name and port. >> >> The receiving peer checks the pathstarts with "/squid-internal-" and that >> the hostname portion matches its own visible_hostname or unique_hostname. >> If those match its marked for special handling as an internal request, >> otherwise global_internal_static is used to determine if the hostname not >> matching is ignored and it gets marked anyway. >> >> Since the digest needs to be targeted at the specific peer and not >> anything which may inject itself in between them the hostname does need to >> be sent. The relative URLs are for things that don't vary between proxies, >> like the Squid icons. >> >> If you configure cache_peer with the hostname of the receiving peer >> instead of its raw-IP the requests should be sent with that hostname >> instead of raw-IP. >> >> >> >> The config looks okay. Thanks for that. >> >> Amos >> >> > > > -- > With best regards, Ivan Larionov. > -- With best regards, Ivan Larionov.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
