Squid configuration for upstream proxy needs work

viccross / ansible-playbooks

My collection of Ansible playbooks for various tasks (dominated by Openshift, currently)

Apache License 2.0

2 stars 3 forks source link

Squid configuration for upstream proxy needs work #28

Open viccross opened 3 years ago

viccross commented 3 years ago

When an upstream proxy is defined using cache-peer the proper ACLs for instructing Squid to use it are not set. This results in every request being rejected with HTTP/503. This was probably the real reason behind the connection rejects logged in #6 .

The full definition will require an ACL to identify the local clients to be permitted, plus selectors to permit them, like this:

acl localhosts dstdomain .ocp-z-poc.wsc.ibm
. . .
cache_peer 10.2.55.220 parent 3128 0 no-query no-digest
cache_peer_domain 10.2.55.220 !.ocp-z-poc.wsc.ibm
never_direct deny localhosts
never_direct allow all

This definition is working on the test system in Sydney.

viccross commented 3 years ago

The main issue with these is that

if upstream proxy is needed and these are not present, connectivity is broken (obvious)
if upstream proxy is not needed and the only exclusion is cache_peer, connectivity is broken (not obvious)

The config for the upstream proxy needs to include all or none of these statements.

viccross commented 3 years ago

See also #35 which requests post-restore enablement of the upstream proxy if build does not require it but restoration does (e.g. END-build FastVM restore in SYD).

viccross commented 2 months ago

The template for squid.conf is incorrect now that the support for multiple RHOCP clusters is in place. The acl localhosts definition currently uses {{ cluster_domain_name }} which at best will be incorrect and at worst will be unset. Later in the file {{ cluster_base_domain }} is used and this should be a better option.