Re: [squid-users] Squid 2.5STABLE3 Questions[Scanned]

From: Merton Campbell Crockett <mcc@dont-contact.us>
Date: Sun, 14 Sep 2003 20:44:00 -0700 (PDT)

On Mon, 15 Sep 2003, Henrik Nordstrom wrote:

> On Thursday 31 July 2003 16.07, Merton Campbell Crockett wrote:
>
> > The document could be retrieved by setting allow-miss for the
> > parent in the first proxy.
>
> If you need to specify allow-miss in the cache_peer line then either
> this cache_peer line is configured as a siblibg, or you are using
> neighbor_type_domain to mess around with your mesh. The allow-miss
> directive only makes a difference on sibling relations.
>
> The only case where these messages are given back to the user is if
> the proxy the user talks to can not find any path to the requested
> resource:
>
> * Can not reach the resource directly, and only siblings available
>
> * The available parents does not allow http_access AND miss_access.

Henrik:

Thanks for your response. I think you responded to my message once before
but several crises intervened and I didn't respond to your earlier reply.

Basically, the problem involves a hierarchical structure where a squid
parent cache is the sibling of a squid cache that serves the target. In
this particular instance, the squid "parent of last resort" had a sibling
relationship with a squid cache running on the same system as the web server
for the target url.

Given a set of network enclaves each with a squid cache that are linked by
encrypted virtual circuits. what is the most appropriate way to define the
relationships between the caches? A part of the problem is that you want to
minimize the number of encrypted hops that the data must traverse. The
topology of the network may be a bus, a ring, or a mesh. Each enclave does
not have full and complete knowledge of the network topology.

A further complication is that this network crosses corporate boundaries and
cannot provide "backdoor" access into the host corporation's internal web
content. Only the "parent of last resort" with access to the Internet at
the corporate security boundary can always go direct. All other squid
caches can only go direct to targets in their local enclave. Basically,
squid is being used to enforce a security policy.

Merton Campbell Crockett

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=fax,work:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard
Received on Sun Sep 14 2003 - 21:50:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:52 MST