On 07/10/10 21:02, mohd hafiz wrote:
> On Wed, Oct 6, 2010 at 8:52 PM, Amos Jeffries wrote:
>> On 07/10/10 00:53, mohd hafiz wrote:
>>>
>>> On Wed, Oct 6, 2010 at 6:54 PM, Amos Jeffries wrote:
>>>>
>>>> On 06/10/10 22:55, mohd hafiz wrote:
>>>>>
>>>>>
>>>>> thanks for fast respon,
>>>>>
>>>>> my squid will have to operate in network up and down. it will just do
>>>>> normal operation when the network is up. When the network is down,
>>>>> squid will intercept all request from client and point it to local
>>>>> server. i write a perl script to do the redirection.
>>>>
>>>> No need for that. redirect is automatic by prefer_direct. The local
>>>> server
>>>> just needs to accept the random domains passed to it by Squid.
>>>>
>>> you means i did not need the perl script? i used the perl script in
>>> url_rewrite program /etc/squid/redirect.pl.
>>>
>>
>> Yes I mean you don't need to do that. See below.
>>
>>>
>>>>> i have configure my cache_peer to:
>>>>>
>>>>> cache_peer example.com 3128 3130 default
>>>>
>>>> example.com being your "local server". Is that another proxy or a web
>>>> server? The answer will determine whether you use port 3128/3130 or 80/0.
>>>>
>>> example.com is my web server
>>
>> Then you need to use:
>> cache_peer example.com 80 0 default
>>
> i miss the type(parent, sibling, multicast) after hostname. can i
> write cache_peer example.com parent 80 0 default?
>
Sorry my mistake. Yes the type needs to be there.
>>>>>
>>>>> and enable
>>>>>
>>>>> prefer_direct on
>>>>>
>>>>> but the browser still tried to reach the internet. it takes a few
>>>>> minutes to resolve to my local page. any advised?
>>>>
>>>> Are you doing WCCP, NAT interception or transparent proxy?
>>>>
>>> i'm doing transparent proxy
>>>
>>>> If yes,
>>>> the browser will be attempting and failing its own DNS to go direct to
>>>> the
>>>> Internet Squid cannot help here. Connectivity failover with a proxy is
>>>> not
>>>> easily compatible with interception.
>>>>
>>> is squid cannot function when the network is down? i know that squid
>>
>> Due to transparent proxy, the problem is not in Squid.
>>
>> Right at the very start the web browser does its own DNS thinking it has to
>> contact the Internet itself. This first DNS fails and the browser presents
>> the "unable to resolve" page. The request never gets near Squid to pass to
>> the peer.
>>
>> If you have a local resolver which is still relaying results to the browser
>> the request will possibly get to Squid where things continue as desired. Any
>> DNS delay will be doubled or tripled.
>>
>>
>> Configure the browser to pass requests directly to the proxy. The browser
>> will then start by passing the request to Squid. From there your Squid
>> failover config has control.
>>
> Does i need to configure each browser to pass request to squid? Can it
> be done by the iptables at the server side. i want it transparent to
> the user.
You can use WPAD methods to setup the browsers in bulk with little or no
user knowledge. They only need to set the browser to the "auto-detect"
setting if it's not already defaulting to that.
If you want to get really tricky you can start intercepting DNS going to
servers outside your networks and pointing them at a recursive resolver
under your own control. The success of this depends on whether the
client software is doing DNSSEC or other security measures on their DNS
replies.
>>>
>>> will do a dns lookup at the startup. squid will not start if it fails
>>> dns lookup. i have tried to disable the internal dns lookup and still
>>> problem exists. is there any way to solve this?
>>
>> Disabling the internal DNS resolver only switches to using an old slower
>> external resolver process.
>>
>> Squid requires DNS when it has to process a squid.conf entry from a name to
>> an IP. Such as names in src/dst ACLs. Using IP addresses there will help
>> avoiding DNS on startup.
> i'm using ip for my acl setup. for example : acl lan src
> 129.34.4.0/32; is there other place i need to use IP adress to avoid
> DNS on startup? or how can i avoiding DNS on startup?
Only the -D that I can recall...
>>
>> Older Squid needed the -D command line option to prevent tests of the
>> configured nameservers. And visible_hostname to prevent looking up its
>> hostname rDNS.
>> Newer Squid have dropped the -D and related tests, and their
>> visible_hostname will failover to "localhost" instead of stopping.
>>
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2Received on Thu Oct 07 2010 - 08:21:47 MDT
This archive was generated by hypermail 2.2.0 : Fri Oct 15 2010 - 12:00:03 MDT